Israeli mobile security start-up Skycure has exposed
a vulnerability that could allow hackers to control and spy on
iPhones. A major security vulnerability for iOS configuration
profiles pose malware threat.
The vulnerability affects a file known as mobileconf
files, which are used by cell phone carriers to configure system-level
settings. These can include Wi-Fi, VPN, email, and APN settings. Apple
used to use them to deliver patches, and carriers sometimes use them to
distribute updates.
The below demo shows that how sensitive information, including the victim’s exact
location, could be retrieved, while also controlling the user’s iPhone
location, could be retrieved, while also controlling the user’s iPhone
In Demo, a hacker can setup a fake website with a prompt to install a
configuration profile and sent the link out to Victim. After installing
it, he found out they were able to pull passwords and other data without
his knowledge.
These malicious profiles can be emailed or downloaded from Web pages and
after being installed, and attacker able to change a large number of
iPhone settings.
If used maliciously, these profiles can be very dangerous. Even though
their use is approved by Apple, they aren't subject to the standard
sandboxing rules that apply to third party App Store apps and websites.
Other than an attack on privacy, this could lead to more dangerous consequences as an example, it is quite easy to change a GPS destination while driving and send the smartphone owner to a location the attacker chooses.
Other than an attack on privacy, this could lead to more dangerous consequences as an example, it is quite easy to change a GPS destination while driving and send the smartphone owner to a location the attacker chooses.
No comments:
Post a Comment