Israeli mobile security start-up Skycure has exposed a vulnerability that could allow hackers to control and spy on iPhones. A major security vulnerability for iOS configuration profiles pose malware threat.
The vulnerability affects a file known as mobileconf
files, which are used by cell phone carriers to configure system-level
settings. These can include Wi-Fi, VPN, email, and APN settings. Apple
used to use them to deliver patches, and carriers sometimes use them to
distribute updates.
Adi Sharabani, CEO and co-founder of Skycure, made a demonstration
that how sensitive information, including the victim’s exact location,
could be retrieved, while also controlling the user’s iPhone.
In Demo, he setup a fake website with a prompt to install a
configuration profile and sent the link out to Victim. After installing
it, he found out they were able to pull passwords and other data without
his knowledge.
These malicious profiles can be emailed or downloaded from Web pages and
after being installed, and attacker able to change a large number of
iPhone settings.
If used maliciously, these profiles can be very dangerous. Even though
their use is approved by Apple, they aren't subject to the standard
sandboxing rules that apply to third party App Store apps and websites.
Other than an attack on privacy, this could lead to more dangerous consequences as an example, it is quite easy to change a GPS destination while driving and send the smartphone owner to a location the attacker chooses.
Other than an attack on privacy, this could lead to more dangerous consequences as an example, it is quite easy to change a GPS destination while driving and send the smartphone owner to a location the attacker chooses.
No comments:
Post a Comment