Researchers at Symantec have issued a security warning for iPhone and iPad users about a new attack, which they named “TrustJacking,” that could allow someone you trust to remotely take persistent control of, and extract data from your Apple device.
Apple provides an iTunes Wi-Fi sync feature in iOS that allows users to sync their iPhones to a computer wirelessly. To enable this feature, users have to grant one-time permission to a trusted computer (with iTunes) over a USB cable.
“Reading the text, the user is led to believe that this is only relevant while the device is physically connected to the computer, so assumes that disconnecting it will prevent any access to his private data,” Symantec said.
Since there is no noticeable indication on the victim’s device, Symantec believes the feature could exploit the “relation of trust the victim has between his iOS device and a computer.”
Researchers suggest following scenarios where TrustJacking attack can be successfully performed, especially when you trust a wrong computer:
- Connecting your phone to a free charger at an airport, and mistakenly approving the pop-up permission message to trust the connected station.
- A remote attacker, not in the same Wi-Fi network can also access iPhone data if the device owner’s own “trusted” PC or Mac has been compromised by malware.
Moreover, iTunes Wi-Fi sync feature could also be used to remotely install malware apps on your iPhone, as well as to download a backup and steal all your photos, SMS / iMessage chats history, and application data.
“An attacker can also use this access to the device to install malicious apps, and even replace existing apps with a modified wrapped version that looks exactly like the original app, but is able to spy on the user while using the app and even leverage private APIs to spy on other activities all the time,” Symantec said.
The TrustJacking attack could also allow trusted computers to watch your device’s screen in real-time by repeatedly taking remote screenshots, observing and recording your every action.
Apple has now introduced another security layer in iOS 11, asking users to enter their iPhone’s passcode while pairing their iPhone with a computer, after getting notified by the Symantec researchers.
However, Symantec says the loophole remains open, as the patch does not address the primary concern, i.e., the absence of noticeable indication or mandatory re-authentication between the user’s device and the trusted computer after a given interval of time.
“While we appreciate the mitigation that Apple has taken, we’d like to highlight that it does not address Trustjacking in a holistic manner,” Symantec’s Roy Iarchy said. “Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work as described above.”
The best and simple way to protect yourself is to ensure that no unwanted computers are being trusted by your iOS device. For this, you can remove the trusted computers list by going to Settings → General → Reset → Reset Location & Privacy.
Also, most important, always deny the access when asked to trust the computer while charging your iOS device. Your device would still charge using the computer, without exposing your data.