Apple iOS Trustjacking Vulnerability
A new vulnerability has been discovered with iOS devices which lets you exploit the “Wi-Fi Sync” feature allowing a malicious user unauthorised access to a device wirelessly.
Wi-Fi Sync lets you manage your devices from your computer without connecting them. If this feature is enabled and you connect to a new device, it may ask you whether you trust the device. If this is allowed it can give unauthorised access to the device even when the device is disconnected from the computer or charger it was connected to.
The vulnerability, called trustjacking, requires a user to configure Wi-Fi syncing in iTunes, which allows iOS device owners to manage their devices without physically connecting it to their computer.
This can let malicious users remotely view the device screen, install malicious apps and steal things like Photos, Message history and App data.
Further technical details here
Affected Platforms
iOS Devices- versions 10 or previous
Resolution
- This vulnerability has been patched in iOS 11. Update to the most recent version of iOS.
- Users are advised to clean the trusted computers list by going to Settings > General > Reset > Reset Location & Privacy. You will need to reauthenticate your trusted devices after doing this.
- Ensure that strong password policies are in place and password reuse is discouraged
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.