![\"iOS](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/ios-trustjacking-iphone.png\")
<\/p>\n<\/p>\n
Have you ever plugged in your iPhone to a USB port and tapped “Trust” on your screen? You might have unknowingly given an attacker permanent access to your device\u2014even wirelessly, and potentially even remotely.<\/p>\n
On Wednesday morning at RSA Conference 2018, two security researchers gave a presentation that has massive security and privacy implications for users of all devices that run Apple’s iOS operating system: iPhone, iPad, and iPod touch.<\/p>\n
In this article:<\/em><\/p>\n During the presentation, Sharabani used his iPhone X to take a selfie with Iarchy, after which he sent a text message to\u00a0their company’s CEO.<\/p>\n On the MacBook, Iarchy issued a command to Sharabani’s iPhone to back up its data over Wi-Fi, which is made possible by an iOS feature called iTunes Wi-Fi Sync, which works on both macOS<\/a> and Windows<\/a>\u00a0hosts. After the synchronization was complete, Iarchy showed that both the selfie and the text message were easily accessible on his MacBook.<\/p>\n Great to speak with @royiarchy<\/a> at #RSAConference<\/a>. More important, great to see that you finally created a twitter account! pic.twitter.com\/mK5gW5BZbw<\/a><\/p>\n \u2014 Adi Sharabani (@adisharabani) April 18, 2018<\/a><\/p><\/blockquote>\n The researchers also demonstrated how an attacker could live-stream continuous screenshots from the device, effectively simulating a live video feed of what was on the iPhone’s screen. Given that iOS briefly shows the most recently typed character in password fields, it’s possible for an attacker to watch a victim type their banking or other passwords.\u00a0This is effectively a clever, modern way to conduct a “shoulder surfing” attack without having to be in the same room as the victim.<\/p>\n One of the most concerning attacks enabled by trustjacking that Sharabani and Iarchy demonstrated was the ability to replace an iOS app with a malicious version that had an identical icon, which appeared in the same location as the original. In their demonstration, it took less than a second for the iPhone’s legitimate Facebook app to get replaced with a repackaged version.<\/p>\n By repackaging an app, an attacker can insert functionality of their choosing, including functions only available via private APIs that Apple doesn’t allow to be used in App Store apps.<\/p>\n Is this the real Facebook app or a maliciously modified version?<\/p>\n Imagine, if you will, a couple of scenarios in which replacing an app with a compromised version could be a serious security and privacy concern.<\/p>\n It’s also possible for repackaged apps to do things like secretly take pictures of you using your front-facing camera, record audio using your microphone, and more; iOS developer Felix Krause shared examples of similar behavior in October 2017<\/a>.<\/p>\n Unlike MacBooks and iMacs, iOS devices do not include camera-in-use indicator lights, so a victim would have no way of knowing that they\u00a0were being spied upon in this manner.<\/a><\/p>\n After an iOS user has trusted a computer, at any time in the future that computer can be used to carry out attacks when the device is either connected via USB, or when the iOS device and the computer are connected to the same Wi-Fi wireless network.<\/p>\n However, remote attacks are also possible.<\/p>\n This attack scenario requires a combination of trustjacking\u2014the user having once trusted a computer now controlled by the attacker\u2014and what the researchers called a malicious profile attack<\/a> (which implies that the victim has fallen for a social engineering<\/a> attack and installed a mobileconfig profile created by the attacker).<\/p>\n If an attacker has compromised (hacked into) a trusted computer, then the attacker could potentially\u00a0execute\u00a0an attack\u00a0from a remote location, as explained below.<\/a><\/p>\n Thus, it’s important to maintain the security of your own Mac or Windows PC that you’ve allowed\u00a0your iOS device to trust.<\/a><\/p>\n The first time\u00a0a computer\u00a0attempts to access data from your iPhone or other iOS device, you will see a dialog box on your device’s screen, which\u00a0says, “Trust This Computer? Your settings and data will be accessible from this computer when connected.” The dialog box presents\u00a0two options: “Trust” and “Don’t Trust.”<\/p>\n By displaying this prompt, Apple gives iOS users the choice whether the\u00a0connected computer should be\u00a0allowed to access the device’s settings and data.<\/p>\n However, the dialog box\u00a0implies that it’s necessary for there to be a physical connection between the iOS device and the computer via a Lightning to USB cable. Most iOS device users are unaware that “connected” can also mean “on the same Wi-Fi network.”<\/p>\n As of iOS 11, tapping Trust now requires you to enter your device’s unlock passcode. According to Sharabani and Iarchy, Apple implemented this mitigation after the researchers began working with Apple to disclose the vulnerability in July 2017. Even so, many users do not understand the nature or degree of the trusted relationship, and may be trusting computers too freely.<\/a><\/p>\n If you decide later that you need to exchange data between your iOS device and a computer you had previously chosen not to trust, simply reconnect your device via USB and you’ll be presented with the “Trust This Computer?” dialog box again.<\/a><\/p>\n If you ever connect your iPhone to something that doesn’t appear to be a computer, for example a public charging station, you shouldn’t get a “Trust This Computer?” prompt. If you see such a prompt at a public charging kiosk, you may in reality be connected to a hidden computer on the other end\u2014one that’s designed to steal data from connected devices while they’re charging.<\/p>\n The safest solution is to avoid public charging terminals altogether. They can potentially attempt to hack your device, via methods similar to those described in this article. Even a seemingly innocuous-looking cable can potentially try to hijack your device, as discussed in episode 124<\/a> of the Intego Mac Podcast (from 20:47 to 22:02). There are other potential non-security concerns as well, such as the possibility of a malfunctioning cable, charger, or electrical outlet that can cause a short and physically damage your device.<\/p>\n\n
\n
What exactly is the “trustjacking” attack?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/iPhone-X-75x150.png\")
The security researchers, Adi Sharabani and Roy Iarchy, presented a live demonstration of the attack. Sometime before the presentation, Sharabani had previously connected his iPhone X to Iarchy’s MacBook and tapped “Trust” in a dialog box on the iPhone\u2014something many people do when they connect their iPhone to a computer.<\/p>\n\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/shoulder-surfing-1024x783.png\")
\nRemotely observing iOS is a modern version of shoulder surfing.<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/Facebook-iOS-app-icon.png\"){kind=icon}
<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/03\/Signal-iOS-icon-150x150.png\"){kind=icon}
Many people use secure messaging apps, like Signal<\/a>, for instance, to transmit messages that only the recipient can decrypt. If an attacker were to replace your iPhone’s secure messaging app with a malicious repackaged version, all of your “secure” messages could be siphoned off and made available for the attacker\u2014before they were ever encrypted in the first place.<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/Analyze-iOS-user-face-KrauseFx-576x1024.jpg\")
Krause shows how a\u00a0hijacked camera can\u00a0reveal a user’s emotion.<\/p>\nDoes the attacker have to be near the victim?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/trustjacking-attack-wi-fi.png\")
<\/p>\nRemote attack where the user<\/em> is\u00a0not near\u00a0the trusted computer<\/strong><\/h4>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/VPN-iOS-icon-150x80.jpg\"){kind=icon}
Sharabani and Iarchy have confirmed that it’s possible to carry out attacks when the iOS device is elsewhere in the world, so\u00a0long as the iOS device is connected to a VPN of the attacker’s choosing.<\/p>\nRemote attack where the attacker<\/em> is not near the trusted computer<\/strong><\/h4>\n
What if I never tap Trust when using someone else’s computer? Am I safe?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/unsecured-iMac-150x124.png\")
Sharabani and Iarchy also described an attack scenario in which a legitimately trusted computer\u2014perhaps the victim’s home computer\u2014had become compromised by an attacker. If an attacker can surreptitiously control a compromised computer from a remote location, then the attacker could carry out these attacks from anywhere in the world.<\/p>\nWhy does iOS have a “Trust This Computer” dialog box?<\/h3>\n
![\"Trust](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/09\/ios10-iphone7-trust-computer-alert.jpg\" "\\"Trust")
The iOS “Trust This Computer?” dialog box<\/p>\nDo I need to tap “Trust” to charge my device?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/iPhone-charging-300x230.jpg\")
No! <\/strong>If all you want to do is charge your device’s battery, you should always tap the “Don’t Trust” button<\/strong>, not<\/em> the\u00a0“Trust” button. Charging your battery does not<\/em> require a trusted relationship.<\/p>\nAre public charging stations safe?<\/h3>\n