New attack leverages iOS devices in MDM setups

Mar 31, 2016 14:47 GMT  ·  By

Mobile security experts at Check Point, an international cyber-security vendor based in Tel Aviv, Israel, have discovered a new method of bypassing iOS security protections in order to install malware on the device.

This new attack, nicknamed SideStepper, targets iOS devices used in enterprise environments, usually enrolled in MDM (Mobile Device Management) setups.

MDM solutions are usually installed in large companies that provide iOS devices to their workers, but also need custom apps to interface with their private data servers. Such apps can't be hosted on Apple's App Store, so Apple issues special enterprise certificates which the company then uses to sign these apps.

Attack bypasses recent iOS 9 security measures

The employee then uses a process called app side-loading, which Apple allows, to install iOS apps from non-App Store sources. In the past, malware authors have stolen enterprise certificates and have often used them to sign malicious apps which users would then side-load, fooled by advertising or the promise of features not found on the official App Store.

With the release of iOS 9, Apple has made the process of side-loading apps much harder, requiring much more user interaction.

Check Point experts say that they've discovered that iOS users enrolled in an MDM setup can be exploited by attackers to install additional apps, along their current enterprise-approved applications.

SideStepper attacks is carried out via email, SMS, or IMs

Researchers say that in their tests, they've discovered that they could send a malicious configuration profile (via SMS, IM, or email) to an iOS device already running MDM-approved apps that benefit from an Apple-approved enterprise certificate.

This malicious configuration profile piggybacks on the legitimate enterprise certificate to install malicious apps via a trivial MitM (Man-in-the-Middle) attack.

This method allows an attacker to deliver his malicious app to the device without being hindered by Apple's security measures. The impact of this vulnerability depends on the type of malicious app the attacker wants to push to the device.

More details about the SideStepper attack will be provided tomorrow in a presentation at Black Hat Asia 2016 in Singapore. Check Point's presentation will be demonstrated on a device running iOS 9.2. In the meantime you can download and read Check Point's SideStepper report.