Starting with iOS 9, Apple has tried to make it harder for attackers to trick users into installing unauthorized apps on their devices by abusing stolen enterprise certificates. However, it left one door open that attackers can still exploit: the protocol used by mobile device management products.
In a presentation at the Black Hat Asia security conference on Friday, researchers from Check Point Software Technologies will demonstrate that the communication between MDM products and iOS devices is susceptible to man-in-the-middle attacks and can be hijacked to install malware on non-jailbroken devices with little user interaction.
Apple’s tight control over the iOS App Store has made it hard, but not impossible, for attackers to infect iOS devices with malware.
The most common way for hackers to infect non-jailbroken iOS devices with malware is through stolen enterprise development certificates. These are code-signing certificates obtained through the Apple Developer Enterprise Program that allow companies to distribute internal apps to iOS devices without publishing them in the public app store.
In older versions of iOS, deploying an app signed with an enterprise certificate required the user to open a link where the app was hosted, agree to trust the developer and then agree to install the app. The process required user interaction, but it was easy enough to be abused in social engineering attacks that tricked users into performing the required steps.
According to Michael Shaulov, the head of mobility product management at Check Point, Apple decided to address this risk in iOS 9 by adding additional steps to the enterprise app deployment process. But, it left open a loophole: the way in which MDM products install apps on iOS devices remained unaffected.
Companies use MDM products to control, configure, secure and, if necessary, wipe their employees’ mobile devices. These products also include private app stores that allow companies to easily deploy apps to their employees’ devices.
The Check Point researchers found that the MDM protocol implemented in iOS is susceptible to man-in-the-middle attacks and can be used to install malware on non-jailbroken devices.
The attack would only work against devices that are registered to an MDM server, but many mobile devices used in enterprise environments are.
Then the attacker would need to trick the users of those devices to install a malicious configuration profile. This wouldn’t be hard to do either, because most enterprise users are used to installing such profiles. They are typically used to deploy VPN, Wi-Fi, email, calendar and other settings.
The malicious configuration profile distributed by the attacker would install a rogue root certificate and would configure a proxy for the device’s Internet connection. This would route the device’s traffic through a server under the attacker’s control and would enable the man-in-the-middle attack.
The hacker can then impersonate the MDM server and push a malicious app signed with a stolen enterprise certificate to the device. In a targeted attack, the app could be crafted to masquerade as an app that the user expects to receive.
The device would display a confirmation prompt asking the user if he agrees to install the app or not, but even if he declines, the attacker can keep sending the request again and again. This would essentially prevent the user from doing anything on the device until he agrees to install the app, Shaulov said.
Because this method bypasses iOS 9’s new restrictions for enterprise app deployments, the Check Point researchers have named the vulnerability Sidestepper.
The misuse of enterprise certificates is not uncommon. According to Shaulov, a scan performed on around 5,000 iOS devices belonging to one of Check Point’s customers — a Fortune 100 global company — found 300 sideloaded applications signed with over 150 enterprise certificates. Many of those certificates had been issued by Apple to entities in China and had been used to sign pirated versions of legitimate apps, but at least two apps were part of known malware families.