Update (20/03/14): We’ve published a follow-up post with supporting materials. It is available here.
Last year we discovered and explored the problem of malicious profiles. Since then we’ve received a lot of feedback from worried readers, and have seen this issue move from theory into reality.
While malicious profiles can be formed in a variety of ways, they are still configuration profiles. As such, the best practice for iOS owners who are not Skycure users (who benefit from our ability to identify such attacks automatically, as they occur) is the following:
Go the iOS profiles list (Settings > General > Profiles) and check for configuration profiles that look fishy. This is obviously something of a cat-and-mouse game, since sophisticated attackers deliberately name their malicious profiles to look benign, but reviewing the profiles list is still a fairly good manual technique for discovering malicious profiles installed on your device.
What if it were possible to create configuration profiles that would not show in the profiles list?
Assaf Hefetz, one of our top researchers, has recently found a way of crafting a special kind of configuration profile, which we refer to internally as “the invisible profile”. Once installed by a victim, the settings dictated by the configuration profile are applied to iOS but, due to a bug, the victim has no visual indication of the existence of the installed profile! The iOS profiles list shows the regular profiles, but not the “invisible” one! In fact we found that even if the ProfileList MDM command is used, to remotely query the installed profiles on a device, the “invisible profile” remains invisible.
Another ramification of the malicious “invisible profile” is that once it is installed the victim cannot easily remove it, without resorting to drastic measures such as device reset or restore.
We reported this issue to Apple at the end of September 2013. Apple has worked on a fix, which will probably be included in iOS 7.1.
In line with our responsible disclosure policy, we will refrain from disclosing the technical details of the vulnerability during our RSA presentation today, as well as in this blog post.
We wish to acknowledge the responsiveness of Apple’s security team to our report, and their dedication to the security of Apple’s customers.
This research, along with other iOS attack techniques, will be presented at RSA USA 14’ (Thursday, February 27, 2014 | 9:20 AM – 10:20 AM | West | Room: 3018) by Yair Amit and Adi Sharabani.