iOS MDM Protocol Vulnerability Exposes iPhone, iPad to Attack: Report
April 5, 2016
Shah Sheikh (1294 articles)
Share

iOS MDM Protocol Vulnerability Exposes iPhone, iPad to Attack: Report

Another vulnerability has been found in iOS, Apple’s mobile operating system. The mobile device management (MDM) interface for iOS, according to security researchers, can be exploited to gain complete access to the device. Apple insists that it’s not a vulnerability, but a social-engineering trick.

Security researchers at Check Point Software Technologies claim that an approach dubbed “SideStepper” can allow an attacker to hijack enterprise management functions by sending a malicious link to the device.

According to the researchers, clicking on that link will give attackers full control of the MDM software, and allow them to push malicious apps to the device as well as make changes to other configuration settings. In other words, MDM software in iOS is susceptible to man-in-the-middle attacks and can be exploited to install malware on non-jailbroken devices. The vulnerability was demonstrated at Black Hat Asia 2016.

The researchers claim that Apple patched a similar vulnerability last year with iOS software update, however, it left one hole. These MDM tools are used by companies to control, and configure their employees’ devices. These devices have access to a private app store.

Speaking to Ars Technica, Apple has refuted the claims, adding that it was a social-engineering attack, and per se, not a weakness in iOS. “This is a clear example of a phishing attack that attempts to trick the user installing a configuration profile and then installing an app,” a spokesperson for the company told the publication.

“This is not an iOS vulnerability. We’ve built safeguards into iOS to help warn users of potentially harmful content like this. We also encourage our customers to download from only a trusted source like the App Store and to pay attention to the warnings that we’ve put in place before they choose to download and install untrusted content.”

Source | NDTV