Malicious profiles – one of the most serious threats to iPhones

iOS profiles are used by cellular carriers, Mobile Device Management solutions and even mobile applications to configure system-level settings of iOS devices. These include Wi-Fi, VPN, email and APN settings, among others. While profiles are usually used for the right reasons, some capabilities might be used by malicious actors to circumvent Apple’s security model and compromise a victim’s device using malicious profiles.

Wandera recently discovered a vulnerability in iOS. It allows attackers to bypass intended access restrictions by leveraging incorrect configuration-profile persistence.

What are the implications of this? Well, it effectively means that a malicious profile cannot be fully removed from a victim’s device; an impacted device would allow the configuration profile settings to persist, even across reboots!

How can malicious profiles be installed on devices?

Malicious profiles can be installed in a number of ways. One example is by crafting an iOS configuration file containing a certificate authority (CA) and a VPN tunnel configuration.

The distribution of iOS profiles is not tightly controlled so it’s simple for attackers to create a link to the malicious profile and encourage their victims – via a phishing attack or other form of social engineering – to click it in order to start the installation. Often these attacks will lure the victim by promising them access to something valuable if they just accept the installation.

Another example involving the distribution of a malicious profile occurs via a man-in-the-middle (MitM) attack. These attacks take place over a Wi-Fi connection where the attacker inserts him or herself between the victim’s device and the internet, funneling all the traffic through their malicious hotspot. Once this access is gained, an attacker would be able to track activity and capture both content and credentials that may be used for later attacks on the organization. By far the most serious form of man-in-the-middle attack is that involving tampering with certificates and profiles to make the device implicitly trust the attacker. Other malicious profile attacks use a Proxy server or change an APN setting.

What are the implications of having malicious profiles on the device?

A configuration profile can contain Wi-Fi, VPN, email, calendar and even passcode restriction settings. Malicious profiles allow an attacker to compromise a device’s security measures and violate user and company privacy, essentially exposing all transported data and giving the attacker vast control over the device. The profile could configure the device to use a malicious VPN, effectively allowing the attacker to access and all traffic to and from the device and redirect it to malicious pages.

Another example is when a malicious third-party root certificate authority (CA) is installed and trusted on the device, which could allow the attacker to inspect traffic or pose as a secure website. They can also craft a certificate to any resource and the end user will not be prompted for any error.

How to protect your devices from malicious profiles

While these attacks have becoming more difficult to execute successfully, they still happen. Users tend to hurry through any setting dialogs in the way when trying to get access to free internet and services and therefore end up missing the warning signs. We recommend the following steps to protect your corporate mobile fleet:

• Deploy a Mobile Threat Defence solution to alert and protect them from all risks including malicious profiles.
• Choose a solution that allows you to see any out of date operating systems and control the speed in which they upgrade to the latest OS version available. As we have seen with iO 11.3, these updates deliver important security patches.
• As this specific attack relies on social engineering against users, administrators should educate users in the organization to be cautious when approving iOS profile installations.

Industry collaboration

Responsible disclosure is important to us at Jamf. Researchers that aren’t very responsible announce vulnerabilities to the press without giving the developers of the affected OS or app any lead time to fix it. This means bad actors have a window to start exploiting these vulnerabilities. It takes developers a lot more time to fix a vulnerability than it takes a hacker to exploit it.

When it comes to detecting vulnerabilities, various factors motivate organizations and individuals to find them and fix them. Often, they do this for money or to participate in bug bounties. Some companies offer a bug bounty to encourage researchers to find bugs and reward them with a generous payment. Apple has so many researchers and developers working on their platform that they are able to uncover and fix bugs without the need to incentivize third parties. So good internet citizens share iOS vulnerabilities for the greater good.

Whether there is a bounty on offer or not, industry collaboration is important in finding and patching vulnerabilities quickly, especially on such a widely deployed platform as iOS.