The Hacker News Logo
Subscribe to Newsletter

Critical iOS vulnerability in Configuration Profiles pose malware threat

Israeli mobile security start-up Skycure has exposed a vulnerability that could allow hackers to control and spy on iPhones. A major security vulnerability for iOS configuration profiles  pose malware threat.

The vulnerability affects a file known as mobileconf files, which are used by cell phone carriers to configure system-level settings. These can include Wi-Fi, VPN, email, and APN settings. Apple used to use them to deliver patches, and carriers sometimes use them to distribute updates.
Adi Sharabani, CEO and co-founder of Skycure, made a demonstration that how sensitive information, including the victim’s exact location, could be retrieved, while also controlling the user’s iPhone.


In Demo, he setup a fake website with a prompt to install a configuration profile and sent the link out to Victim. After installing it, he found out they were able to pull passwords and other data without his knowledge.
These malicious profiles can be emailed or downloaded from Web pages and after being installed, and attacker able to change a large number of iPhone settings.

If used maliciously, these profiles can be very dangerous. Even though their use is approved by Apple, they aren't subject to the standard sandboxing rules that apply to third party App Store apps and websites.

Other than an attack on privacy, this could lead to more dangerous consequences as an example, it is quite easy to change a GPS destination while driving and send the smartphone owner to a location the attacker chooses.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.