Have you ever plugged in your iPhone to a USB port and tapped “Trust” on your screen? You might have unknowingly given an attacker permanent access to your device—even wirelessly, and potentially even remotely.
On Wednesday morning at RSA Conference 2018, two security researchers gave a presentation that has massive security and privacy implications for users of all devices that run Apple’s iOS operating system: iPhone, iPad, and iPod touch.
In this article:
During the presentation, Sharabani used his iPhone X to take a selfie with Iarchy, after which he sent a text message to their company’s CEO.
On the MacBook, Iarchy issued a command to Sharabani’s iPhone to back up its data over Wi-Fi, which is made possible by an iOS feature called iTunes Wi-Fi Sync, which works on both macOS and Windows hosts. After the synchronization was complete, Iarchy showed that both the selfie and the text message were easily accessible on his MacBook.
Great to speak with @royiarchy at #RSAConference. More important, great to see that you finally created a twitter account! pic.twitter.com/mK5gW5BZbw
— Adi Sharabani (@adisharabani) April 18, 2018
The researchers also demonstrated how an attacker could live-stream continuous screenshots from the device, effectively simulating a live video feed of what was on the iPhone’s screen. Given that iOS briefly shows the most recently typed character in password fields, it’s possible for an attacker to watch a victim type their banking or other passwords. This is effectively a clever, modern way to conduct a “shoulder surfing” attack without having to be in the same room as the victim.
Remotely observing iOS is a modern version of shoulder surfing.
One of the most concerning attacks enabled by trustjacking that Sharabani and Iarchy demonstrated was the ability to replace an iOS app with a malicious version that had an identical icon, which appeared in the same location as the original. In their demonstration, it took less than a second for the iPhone’s legitimate Facebook app to get replaced with a repackaged version.
By repackaging an app, an attacker can insert functionality of their choosing, including functions only available via private APIs that Apple doesn’t allow to be used in App Store apps.
Is this the real Facebook app or a maliciously modified version?
Imagine, if you will, a couple of scenarios in which replacing an app with a compromised version could be a serious security and privacy concern.
It’s also possible for repackaged apps to do things like secretly take pictures of you using your front-facing camera, record audio using your microphone, and more; iOS developer Felix Krause shared examples of similar behavior in October 2017.
Unlike MacBooks and iMacs, iOS devices do not include camera-in-use indicator lights, so a victim would have no way of knowing that they were being spied upon in this manner.
After an iOS user has trusted a computer, at any time in the future that computer can be used to carry out attacks when the device is either connected via USB, or when the iOS device and the computer are connected to the same Wi-Fi wireless network.
However, remote attacks are also possible.
This attack scenario requires a combination of trustjacking—the user having once trusted a computer now controlled by the attacker—and what the researchers called a malicious profile attack (which implies that the victim has fallen for a social engineering attack and installed a mobileconfig profile created by the attacker).
If an attacker has compromised (hacked into) a trusted computer, then the attacker could potentially execute an attack from a remote location, as explained below.
Thus, it’s important to maintain the security of your own Mac or Windows PC that you’ve allowed your iOS device to trust.
The first time a computer attempts to access data from your iPhone or other iOS device, you will see a dialog box on your device’s screen, which says, “Trust This Computer? Your settings and data will be accessible from this computer when connected.” The dialog box presents two options: “Trust” and “Don’t Trust.”
By displaying this prompt, Apple gives iOS users the choice whether the connected computer should be allowed to access the device’s settings and data.
However, the dialog box implies that it’s necessary for there to be a physical connection between the iOS device and the computer via a Lightning to USB cable. Most iOS device users are unaware that “connected” can also mean “on the same Wi-Fi network.”
As of iOS 11, tapping Trust now requires you to enter your device’s unlock passcode. According to Sharabani and Iarchy, Apple implemented this mitigation after the researchers began working with Apple to disclose the vulnerability in July 2017. Even so, many users do not understand the nature or degree of the trusted relationship, and may be trusting computers too freely.
If you decide later that you need to exchange data between your iOS device and a computer you had previously chosen not to trust, simply reconnect your device via USB and you’ll be presented with the “Trust This Computer?” dialog box again.
If you ever connect your iPhone to something that doesn’t appear to be a computer, for example a public charging station, you shouldn’t get a “Trust This Computer?” prompt. If you see such a prompt at a public charging kiosk, you may in reality be connected to a hidden computer on the other end—one that’s designed to steal data from connected devices while they’re charging.
The safest solution is to avoid public charging terminals altogether. They can potentially attempt to hack your device, via methods similar to those described in this article. Even a seemingly innocuous-looking cable can potentially try to hijack your device, as discussed in episode 124 of the Intego Mac Podcast (from 20:47 to 22:02). There are other potential non-security concerns as well, such as the possibility of a malfunctioning cable, charger, or electrical outlet that can cause a short and physically damage your device.
Unfortunately, Apple does not offer users a way to see a list of all computers to which they’ve previously connected their iOS device, which means you cannot selectively revoke trust from individual computers.
What you can do instead is to mass-revoke trust from all previously connected computers by going into the Settings app, tapping General, Reset, and then Reset Location & Privacy.
“Reset Location & Privacy” untrusts all previously trusted computers.
Note that this has some temporarily inconvenient side effects; for example, you’ll need to individually reauthorize each and every app to know your location or to use your camera. However, the minor inconvenience is well worth it to protect your security and privacy.
For more information about trustjacking, including some video demonstrations, you can read Iarchy’s blog post. We also discussed trustjacking on episode 28 of the Intego Mac Podcast.
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:
iPhone X image by Rani Ramli. Charging iPhone battery image by rawpixel. Shoulder surfing image compiled by Josh Long, based on sitting geek image via Pixabay and standing person image by James Heilman, MD. iMac image by Rafael Fernandez. Wi-Fi icon image via BrandEPS.