A new attack, dubbed WireLurker, is said to herald a “New Era In OS X and iOS malware.” (A quick side note: Calling this a “New Era” seems hyperbolic. After all, using one system to attack another is a tried and true attack technique. It just so happens that it’s easier to attack OS X directly than it is iOS, so this type of approach was predictable.)
Back in August, Computerworld highlighted this very point and the vulnerability of iOS via connecting to an endpoint, including synching over Wi-Fi. Both WireLurker and the attack shown in August use a technique to install a provisioning profile on an iOS device.
A provisioning profile can be simply a certificate, a policy, or even VPN connectivity. Provisioning profiles are necessary for developers to test apps as well as for an enterprise to deploy apps and enforce policy and content control. They can also control how the iOS device accesses the network as revealed by Skycure last year.
As this latest report calls out, WireLurker’s installation of the provisioning profile requires a user to accept the profile via a prompt on the iOS device. (It could have been worse.)
As pointed out by Tielei Wang in the Computerworld article, leveraging the vulnerability of iOS via the USB port or Synch over Wi-Fi, attackers are able to install a profile without a prompt.
Wang also published a similar attack at Black Hat in 2013 using a USB charging device running Linux. “In all forms of this attack, a separate endpoint is required to deploy the malicious provisioning profile,” he noted then.
This highlights a point we’ve been making for some time. The endpoint is the target. Given the vulnerabilities in cross-platform software such as Heartbleed, Shellshock and Poodle, we know that attackers are going cross-platform and that there are plenty of vulnerabilities on all platforms.
Increasingly, vulnerabilities are being identified specifically on OS X, such as the vulnerability recently reported in IOBluetoothFamily that allows a user-mode app to gain root-level privilege on OS X (this vulnerability was fixed in Yosemite).
Given the sophistication of WireLurker (an attack on a host platform, waiting until a device is connecting and then deploying a malicious profile), it requires an advanced approach by a persistent actor.
The known vector has been around for more than a year and it’s not going to be easy to close it. I anticipate that we’ll see many variations of this type of attack; variations that are not going to be blocked by signature-based security approaches, such as antivirus.
Even new precautions that enable an iOS device to prompt the user regarding the trustworthiness of a system when connecting to it are not enough.
Once the endpoint is trusted, an attack on that endpoint will succeed in delivering a malicious payload to any connected iOS device. A user prompt on endpoint trust is akin to the prompt you get when downloading software through the browser. It’s simply not going to protect you.
So, how do you avoid attacks like WireLurker?
The blog that announced it offers a lengthy list of actions one should always take in general, not just in response to this attack. Unfortunately, as discussed above, at some point an iOS user is going to have to trust an endpoint to connect to.
When they do, protecting that endpoint is the most critical step to preventing an attack such as WireLurker from doing damage. Using antivirus is not enough since AV isn’t going to identify and stop an unknown threat without a previously seen signature.
Simply put, your best defense against the likes of WireLurker is to only connect your iOS device, via any medium, to a basic charger that you own (so you know it hasn’t been compromised) or an endpoint that is protected by a security product that can block zero-day attacks. In addition, you should never accept a provisioning profile unless your company’s security team directs you to do so.