When plugging a mobile phone or device into a new computer, you will be asked: ‘Do you trust this Computer’. Answering yes, however, could expose the device to a remote attack, in a new vulnerability known as trust-jacking.
When plugging a device into a computer or network – such as charging a phone in a colleague’s laptop or at a charging point in an airport – the device operating system will ask whether the computer can be trusted or not. Giving permission will, however, allow much more than charging, it will also enable the devices to communicate and access data.
Known as ‘juice-jacking’, stealing data or installing malware via a USB connection is not new. Employees are typically warned not to plug their devices into public mobile phone charging points, for example. However, ‘trust-jacking’ goes a step further and allows a cyber attack to continue long after the devices are physically disconnected.
Cyber security firm Symantec recently revealed a new iOS vulnerability that enables hackers to remotely control iPhones and other Apple devices using iTunes Wi-Fi sync. Most users would assume that unplugging their device would prevent further access to their private data. However, after a user physically connects their Apple device to a new computer, and approves the trust privileges, iTunes Wi-Fi sync is free to communicate over a Wi-Fi connection.
This allows the computer to access data on the device, perform backup and install applications, without requiring additional confirmation or notifying the user. It also allows communication to continue after the device has been disconnected from the computer, as long as the computer and the iOS device are connected to the same network.
This opens the door for hackers, who can use malicious software to control the device remotely, as long as the device and attacker are connected to the same Wi-Fi network. However, Symantec showed that it is also possible to create a continuous connection between the victim’s device and the attacker’s computer by connecting the device to a VPN server.
Why does it matter?
The vulnerability in iTunes Wi-Fi sync represents a new class of multi-device attacks, according to Symantec. According to the cyber security firm, trust-jacking enables hackers to remotely view the device screen, to install malicious or modified apps, as well as access private information, including photos, message and chat history, and app data.
Hackers could set up a malicious computer – or a device charging point - to remotely steal data or install malware. A more powerful trust-jacking attack could be achieved through malware installed on the victim’s own personal computer, which would give hackers access to the infected computer and the victim’s devices over time.
When told of the vulnerability, Apple added a passcode requirement. Unfortunately, there is no way to list all of the trusted computers on an Apple device and revoke access selectively. The best way to ensure that no unwanted computers are being trusted by your iOS device is to clean the trusted computers list under Settings.
Download Cyber Decoder Newsletter
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org