UPDATED to reflect that Check Point did notify Apple before publicly disclosing the flaw.
Apple iPhones and iPads running mobile-device-management (MDM) software may be vulnerable to attack, Israeli security firm Check Point plan to demonstrate tomorrow (April 1) at the Black Hat Asia security conference in Singapore.
Credit: Frank Gaertner/Shutterstock
"This exploit could give threat actors control of devices, the data that resides on them, and even enterprise services, potentially impacting millions of iOS users worldwide whose devices are managed by an MDM," Check Point researchers wrote in a white paper detailing the flaw they call "SideStepper."
The SideStepper flaw lets attackers pose as an MDM server, a device that enterprises use to monitor and manage company data on employee mobile devices. Many smartphones issued by enterprises, as well as employee-owned smartphones authorized to access a workplace Wi-Fi network, have MDM client software installed.
In a statement emailed to Tom's Guide today (March 31), Apple said that SideStepper was nothing to worry about.
"This is not an iOS vulnerability," Apple said. "This is a clear example of a phishing attack that attempts to trick the user installing a configuration profile, and then installing an app."
It's often believed that iPhones can install apps only from the official Apple App Store, but that's not true. Enterprises — companies and other large organizations — can also install their own in-house apps on employee devices, thanks to certificates that Apple doles out to enterprises to make their own apps compatible.
In the past several months, enterprise certificates have been abused by a few malicious Chinese iOS apps that can be installed on any iPhone or iPad. Recent versions of iOS have made promiscuous use of enterprise certificates less feasible.
But the Check Point research shows that enterprise certificates, when combined with MDM software, can be used to bypass those new restrictions and install malicious apps on devices running up to at least iOS 9.2.
For the Sidestepper-based attack to work, the attacker would first have to deceive an iPhone user into installing a new iOS configuration profile, which could come as a shortened link in an email, text message or Twitter or Facebook post.
The new profile would change the user's settings so that the on-device MDM software would reach out not to the true enterprise MDM server, but to a malicious one controlled by the attacker.
The attacker's server would then push a malicious app, signed with an enterprise certificate, down to the device. The app would be installed because MDM servers don't have to go through the enterprise-certificate checks that Apple added to recent versions of iOS.
"There is little chance a user would suspect any malicious behavior had taken place," a Check Point blog post said. "On a managed iOS device commands from an MDM are trusted, and because these commands appear to the user as coming from the MDM that already manages the device, the entire process seems authentic."
Apple downplayed the risk of that scenario.
"We've built safeguards into iOS to help warn users of potentially harmful content like this," the company said it its statement. "We also encourage our customers to download from only a trusted source like the App Store and to pay attention to the warnings that we've put in place before they choose to download and install untrusted content."
Check Point suggested that concerned users of iOS devices with MDM clients installed use "a personal mobile security solution," such as Check Point's own ZoneAlarm Mobile Security, but consumer apps of that sort tend to not be very effective on iOS.
Other than that, the company said, iOS users should be careful when installing apps, and bother their employers' IT departments to make sure the MDM software isn't susceptible to SideStepper.
The Check Point researchers credited with finding SideStepper, Avi Bashan and Ohad Bobrov, made news at Black Hat USA last summer when they disclosed flaws in Android tech-support software, often used by cellular service providers, that also permitted attackers to get into phones.
Check Point did not say whether it had shared its findings with Apple before making the Sidestepper disclosure public. UPDATED: Check Point notified us that it had notified Apple of the SideStepper flaw in October 2015.