Trustjacking attack describe new iPhone hacking method

Apr 19, 2018 09:56 GMT  ·  By

Gone are the days when iPhones were considered the most secure smartphones on the market, as more and more reports point to vulnerabilities or bugs that make it possible for somebody else than the device owner to access personal data on the handset.

This time, security company Symantec discovered a bug that allows a malicious actor to access data stored on an iPhone, deploy malware, or even see what’s happening on the screen in real-time by simply connecting it to a trusted laptop.

The method is called trustjacking and it comes down to how the iPhone handles permissions after being connected to a laptop or PC.

When plugging the iPhone into the USB port of a computer, owners are prompted to choose whether they want to trust the device or not, and if they do, to grant the permission to read data stored on the device. But granting access to the iPhone and then disconnecting the handset doesn’t guarantee that you’re secure, as enabling iTunes Wi-Fi sync makes it possible for a cybercriminal to access your phone remotely.

Apple offers incomplete fix

Symantec research Adi Sharabani says he discovered this bug by mistake, and anyone exploiting it could be able to access photos, messages, and emails or to even create a full back of the iPhone without even touching it.

“Roy was doing research and he connected his own iPhone to his own computer to access it. But accidentally he realized that he was not actually connected to his own phone. He was connected to one of his team members’ phones who had connected their mobile device to Roy’s desktop a few weeks before. So Roy started to dig into what exactly he could do and find out if he were an attacker,” the Symantec engineer explains.”

Symantec has already alerted Apple of the bug, but the company only added an extra step to require the passcode when trusting the computer, without actually addressing the problem.

“While we appreciate the mitigation that Apple has taken, we’d like to highlight that it does not address Trustjacking in an holistic manner. Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work as described above,” concluded Symantec’s Roy Iarchy.