Four years ago, on March 12, 2013, Skycure unveiled a new way to attack iOS devices called ‘Malicious Profiles’. These profiles, generally installed through social engineering exploits, allow an attacker to compromise a device’s security measures and violate user and company privacy, essentially exposing all transported data and giving the attacker vast control over the device.
With iOS 10.3, Apple has finally added a layer of protection from this type of attack, now requiring two steps to approve installation of a root CA certificate. This does not eliminate the possibility of a clever social engineering attack succeeding, but it does make it more difficult to fool a user who is paying attention to what they are being asked to do.
One example of a malicious profile attack is accomplished by crafting an iOS configuration file containing a CA certificate and a VPN tunnel configuration. Since iOS profiles are not apps, their distribution is not tightly controlled in the way apps are through the official App Store. Therefore, attackers can simply create a link to the malicious profile and encourage their victims to click it in order to start the infiltration. A successful exploit will often promise the victim access to something valuable if they just accept the installation.
As Apple works to address this type of attack, as it is relatively simple and offers potentially devastating access to the device and the content it can access, it is important to understand that there are many other types of attacks that can yield similar results. In addition to the Malicious Profile VPN tunnel to capture data from the victim’s device, an Attacker can accomplish similar access using a Proxy server, changing an APN setting, or even using a man-in-the-middle (MitM) scenario. Once this access is gained, an attacker would be able to track activity and capture both content and credentials that may be used for later attacks on the organization.
As we’ve shown in the past, this malicious profile attack relies on the fact that many users do not understand the risk of approving such configurations. Some will install the profile in order to gain access to something promised by the attacker, like access to free movies or store discounts. Ironically, another strategy is to convince the user that installing the profile will make them safer, as when they wish to connect to a “secure” network or execute a “secure” transaction with a vendor or bank. A common example is an attacker that sets up a captive network, tempting users into approving the required configuration profile installation.
The main reasons mitigating such an attack can be a significant challenge are as follows:
- Approving a custom CA certificate is a legitimate requirement posed by many organizations for deep packet inspection.
- iOS uses mobileconfig files as the way to distribute configuration changes. These files allow modifying various settings of the system, such as VPN settings, WiFi settings or security settings.
iOS 10.3 takes a significant step toward making these sorts of attacks impractical. In addition to approving the CA certificate through the profile installation (as previously required), a user must also manually approve the installed CA certificate in a new “Certificate Trust Settings” dialog, first introduced in iOS 10.
In this screenshot, we see a CA the user was tricked into installing manually through his browser. This new Certificate Trust Settings dialog provides a second opportunity for the user to validate that the certificate is desired and performing a legitimate function.
An MDM can still configure CA certificates without the user having to approve them in this dialog.
Although we believe that this additional step will cause more users to avoid becoming victims, it is not a complete solution and more could be done. Certificate pinning is a method that would additionally reduce the risk of malicious profile attacks, but is hardly enforced today in iOS. This means that a successful installation of an malicious CA certificate on a user’s device allows all TLS-protected traffic to be viewed by an attacker:
- Exchange ActiveSync communication for email sync.
- Safari, Chrome and other browsers history.
- Any iOS app using the default transport security settings: these apps will accept any certificate allowed by the installed CA certificates, including user-approved ones.
So a big step has finally been taken to reduce this risk and we applaud Apple for making these kinds of attacks, that have been exposing users for the last 4 years much harder.
What can I do?
While these attacks became much harder, they are still possible. Users, promised with free internet or movies are prone to installation and approval of any setting dialogs in the way.
- Users should use a Mobile Threat Defence solution to alert and protect them about risks such as malicious profiles.
- As always, we encourage users to upgrade to the latest OS version available to them.
- As this specific attack relies on social engineering against users, administrators should educate users in the organization to be extremely cautious when approving iOS configurations.
Skycure will continue to protect the users that fall victim to malicious profiles in spite of this improvement, and we will continue to research and publish any new security vulnerabilities and incidents to protect our users.
- Original Malicious Profiles blog post in the Skycure blog: https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/ and https://www.skycure.com/blog/malicious-profiles-from-theory-into-reality/.
- Invisible Profiles, an iOS 7 attack to hide the installed profiles: https://www.skycure.com/blog/invisible-profile-patched-ios-7-1/
- See details of the iOS 10.3 security update here.