iOS Trustjacking

New Vulnerability called “iOS Trustjacking” discovered in the iOS device that allows an attacker to control the Vulnerable device remotely and perform various malicious activities.

An iOS Trustjacking exploits the vulnerability that presented in iTunes Wi-Fi sync which enables the attack to gain the remote access without any user interaction and gain persistent control to the victim’s device without any physical Interaction.

“iTunes Wi-Fi sync” is one of the useful future that allows iOS devices to be synced with iTunes without having to physically connect the iOS device to the computer.

Previously discovered a related vulnerability and Attac such as juice jacking (new computer didn’t require any authorization that leads to install malware),  Videojacking,(HDMI connection and get a screen recording of iOS devices) required users physical interaction to perform various malicious activities.

In this case,  Trustjacking vulnerability also even more continuous persistence with the vulnerable iOS device and stay connected to the compromised device even after the device disconnected with malicious hardware.

How does this iOS Trustjacking vulnerability works

iTunes Wi-Fi sync helps to communicate with the device without any physical connection and the user requires to syncing the iOS device with iTunes first by connecting to a computer with a cable in order to achieve this future.(sync with the iOS device over Wi-Fi.)

if the user needs to access the new computer with their iOS device, it is asked to make this connection as a trust connection or not and once user allows it then it accesses iOS device via the standard iTunes APIs.

According to Symantec’s RSA Conference presentation, This allows the computer to access the photos on the device, perform a backup, install applications and much more, without requiring another confirmation from the user and without any noticeable indication.

At the same time, This iOS Trustjacking could activate the  “iTunes Wi-Fi sync” feature which allows continuing the existing connection with the device even after the communication disconnected from the computer as long as the iOS device is connected to the same network.

so the attacker needs to take two steps:
  • Allow the device to connect to iTunes
  • Enable iTunes Wi-Fi sync

Interesting this is to enable “iTunes Wi-Fi sync” does not require the victim’s approval and can be conducted purely from the computer side.

So Attacker can possibility can easily take screenshots and display or recording them remotely also an attacker is able to get access to a lot of private information such as Photos, SMS / iMessage chats history, App data Etc..

According to the researcher, These steps can be automated by malicious software. They interestingly do not require any additional approval from the victim and don’t trigger any indication on the device that something is happening.

“In order to be able to view the victim’s device screen, the attacker needs to install the developer image suitable for the victim’s device iOS version; then, he can take screenshots repeatedly and view the device’s screen in near real time. Installing the developer image can be conducted over Wi-Fi and does not require regaining physical access to the device. “