Syncing iTunes across devices via Wi-Fi is popular and convenient, but newly discovered attack scenarios could put iOS devices at risk. Symantec researchers discovered a flaw that if exploited would allow attackers to compromise devices.
Named “Trustjacking,” the flaw exploits the trust of victims. The attackers leverage the trust that users have in the security of their own devices in order to take control of the device. Rooted in the design of the “iTunes Wi-Fi sync,” the flaw creates a security issue once a device is connected and the sync feature is selected. After the sync feature is turned on, there’s potential for a hacker to take complete control over the device, according to Symantec researcher Roy Iarchy, head of research and modern OS security, who presented the vulnerability at RSA 2018.
When the setting is enabled, the computer owner has access to a paired iPhone over a Wi-Fi connection even after the device is disconnected, and that's where some social engineering comes into play. For the attacker ti gain access, the device owner first has to click on a malicious link – usually a pop-up message – which then delivers the malware that infects the workstation.
But it’s not only connecting to a work space that puts the device at risk. Symantec described an additional scenario common to many on-the-go users. An unassuming victim might need a battery boost while traveling, so they plug their phone into a free charger at an airport. Once the device is connected to a malicious charger, the user has to agree to trust the computer, which enables the attacker to turn on the Wi-Fi sync feature.
According to Symantec, when a user agrees to trust the computer, they grant permission for the malicious charger, workstation or laptop to communicate with the connected device. Then the attacker only needs to execute two steps: allow the device to connect to iTunes and then enable iTunes Wi-Fi sync, which can be automated through malware.
No additional approvals are required. Once communication is established through the iTunes application programming interface (APIs), the device doesn’t even need to remain connected for the attacker to leverage many features, allowing them remote access to the user’s private information.
Similar vulnerabilities, such as juice jacking and video jacking, have been disclosed on smartphones and earlier versions of iOS, but trustjacking is different in that it grants the attacker permanent access to the device and lets them retain the same abilities long after the device has been disconnected.