Trustjacking: iTunes’ Wi-Fi Sync Feature Vulnerable to Exploitation

Hackers can exploit the vulnerability in iTunes’ Wi-Fi Sync feature and spy on iPhone users.

We already have told our readers about the dangers that plugging your iPhone into an unknown hardware device. The reason is that it makes your smartphone vulnerable to a variety of malicious activities including malware. But until now, we had assumed that once the phone is disconnected, the device becomes safe.

However, according to findings of researchers at Symantec Roy Iarchy and Adi Sharabani, it is possible that persistent control is acquired over devices that are plugged-in to unknown computers or hardware even when they have been disconnected. The findings were revealed at the RSA 2018 on Wednesday.

Reportedly, attackers can abuse an inherent vulnerability in iTunes Wi-Fi sync feature that lets users sync data between Apple device and iTunes. This feat is achieved when the targeted device’s user agrees to Trust the connected device at the time when an Apple security notification appears whenever the device is connected to a new or unknown machine.

The technique is called Trustjacking and it lets cybercriminals view the targeted device’s screen in real time simply by installing the developer image in accordance with the iOS version.

Without even user enabling the iTunes Wi-Fi sync feature this exploit can become successful because it gets activated by malware that is already installed on the computer or hardware device that has been boobytrapped.

According to Adi Sharabani, Symantec’s modern OS security SVP, Trustjacking is highly impactful technique. Sahabani stated that through using this technique attackers can remotely view mobile screens, install malicious spy apps that have been disguised as authentic apps and exfiltrate private data.

Symantec researchers revealed that Trustjacking lets attackers remotely access and view the device screen and take screenshots whenever they want to. They may also steal valuable data from the victim’s device including photos, SMS, iMessage chat history and app data. All this can be achieved by creating iTunes data back-up.

Iarchy, modern OS research team head at Symantec, explains that when a user affirms that he/she trusts the device on a new machine the data remains exposed to malicious threat actors despite the device gets disconnected. It doesn’t matter if the device was connected for a short period or long, even a minute is enough to execute Trustjacking and then the attacker can easily monitor the device when it is disconnected.

Another misconception is that through Trustjacking, attackers can exploit a device only when they are in close proximity of the device and using the same Wi-Fi network. Attackers can create a permanent remote connection with the targeted device either by combining the exploit with an infected profile attack. This would require tricking the victim into downloading and activating an insecure iOS configuration profile to connect to the device permanently using a VPN server.

Another way to acquire a permanent connection to the device is to infect iOS user’s computer with malware in order to use the victim’s own machine against him/her. An attacker can basically exploit the relationship of trust that exists between a user and his iOS device. This method is more beneficial for attackers because a user’s computer is usually in close proximity to the phone.

Researchers are of the opinion that Apple’s strategy to add a new mechanism that required users of iOS devices enter a password prior to trusting and authorizing a new device is quite inadequate. The problem, says Iarchy, is that the user believes that this authorization is relevant only until the device is connected to the hardware, which isn’t true.

“While we appreciate the mitigation that Apple has taken, we’d like to highlight that it does not address Trustjacking in a holistic manner. Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work…” Wrote Iarchy in his blog post.

Sahabani state that when the trust is established, anything is possible because the device is introduced to a completely new attack vector.

Researchers revealed that the issue was identified accidentally. Sahabani notes:

“We discovered this by mistake actually,” Sharabani says. “Roy was doing research and he connected his own iPhone to his own computer to access it. But accidentally he realized that he was not actually connected to his own phone. He was connected to one of his team members’ phones who had connected their mobile device to Roy’s desktop a few weeks before. So Roy started to dig into what exactly he could do and find out if he were an attacker.”

Apple is yet to comment on this issue and come up with a solution. Meanwhile, iOS users need to reset their list of trusted devices and also activate encrypted back-ups in iTunes when setting a password.

Image credit: Depositphotos

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.