Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

An iOS oversight: exploiting device trust and backups

From: David Longenecker <david () securityforrealpeople com>
Date: Tue, 22 Sep 2015 12:15:30 -0500
Posted in more detail at:
http://www.securityforrealpeople.com/2015/09/exploiting-ios-backups-for-fun-and.html

iOS (including iOS 9) have a chink in their security model's armor.

Enabling an iOS device to trust a new computer is a one-click operation -
no password or PIN is required. As long as the iOS device is logged in and
not screen locked, one click is enough to tell the iPhone or iPad that this
computer can be trusted. Once trusted, the computer is permitted to copy
files on and off, or make a full device backup.

For perspective, iOS has a setting to require the password or PIN to
purchase items in the App or iTunes Stores, but no such setting when
trusting a computer to do a full device backup.

Is this a big deal?

Have you ever lent your phone to a friend so they could make a brief phone
call?

If I borrow your iPhone under the guise of making a phone call, in a couple
of minutes I can USB tether to my computer, trust it, and make a full
device backup which I can search at length later. Or in just a few seconds
I can establish that device trust now, and later slip it off your desk to
make a backup of the locked iPhone.

In the grand scheme of things, the ability to make a covert backup of
another's iPhone isn't at the top of my list of worries. It requires
physical access to an unlocked device, meaning I'd have to unlock my phone
and let someone borrow it - not something I'm likely to do for someone I
don't know and trust.

Still, it pays to understand how your trust can be abused. Keep this in
mind the next time a friend asks "can I use your iPhone to make a call?"

Regards,
David Longenecker

Connect: Blog <http://securityforrealpeople.com/> | @dnlongen
<https://www.twitter.com/dnlongen> | LinkedIn
<https://www.linkedin.com/in/dnlongen/>
PGP key: https://keybase.io/dnlongen

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: