IOS SYNC GLITCH LETS ATTACKERS CONTROL DEVICES
SAN FRANCISCO – Researchers have identified a new iOS vulnerability called “trustjacking,” which exploits a feature called iTunes Wi-Fi Sync to give attackers persistent control over victims’ devices.
Symantec researchers presented the vulnerability during a session at RSAC this week and said the vulnerability gives attackers the ability to record and control all activity on a device without being in the same room. Researchers disclosed the vulnerability to Apple, who has released a mechanism to safeguard devices from the vulnerability, they said.
All victims need to do to fall victim to this attack is approve their device’s connection to a malicious computer when syncing with iTunes, they said.
“The user connects to a malicious computer one time – and chooses to trust the computer. That’s the only experience from the end user that you see in this attack. From now on that malicious computer can still communicate with the device via Wi-Fi – and there is no indication of this for the end user,” Adi Sharabani, SVP of modern OS security at Symantec, said at RSAC.
The vulnerability exploits an iOS feature called iTunes Wi-Fi sync, which allows users to manage their iOS devices without physically connecting them to their computer, said Sharabani. Enabling this feature requires users to sync their iOS devices with iTunes by connecting to their computer via a cable.
Source | threatpost