The SideStepper iOS vulnerability was discovered by Check Point and widely reported recently. The vulnerability allows an attacker to trick an unsuspecting enterprise user into loading malicious apps on their device. The attack is aimed at enterprise users because it relies on a flaw related to MDM profiles, which are only used on devices managed by an organization’s MDM (or EMM).
The attack scenario is this: A user is fooled into installing a malicious configuration profile on a device, probably by a phishing message (email, text or IM). The malicious profile enables a Man-in-the-Middle (MitM) attack between the iOS device and an MDM or EMM. From that point on, the attacker can install malicious apps on the device of an unsuspecting user.
So, what’s Apple’s response to this? “We’ve built safeguards into iOS to help warn users of potentially harmful content like this,” an Apple spokesman said in a statement.
First: Would anyone assert that the iOS messages about certificates and MDM profiles are clear enough for users to make good decisions based on them? I didn’t think so. Apple is telling Fortune 100 companies, with potentially hundreds of thousands of employees, to trust that every single one of them will not hit the “Trust” button.
Second: When Apple mentioned there are safeguards that warn users they failed to mention the safeguards that IT can enable to protect their users from needing to get the warning to begin with. Although off by default, when enabled, these safeguards would prevent malicious MDM configuration profiles from even the potential of being installed by an end-user. A better response by Apple would be to include information about this option and to educate IT staff about these settings. Interestingly, Check Point also seemed to overlook this fact.
Third: The MDM protocol does not authenticate the server. That makes it possible to launch the Man-in-the-Middle attack scenario. Why would Apple design an MDM protocol without such authentication?
On the one hand, Apple’s marketing messages are clear: You don’t need security for iOS apps because we’ve designed a system — including App Store app vetting — that precludes the need for anything else. On the other hand, there have been five malware breaches of the App Store since last August, as well as the MDM-related critical sandbox vulnerability Quicksand, and exploits such as SideStepper continue to be discovered.
Maybe the emperor has clothes, maybe not. But we shouldn’t rely on the emperor to tell us.
Image credit: www.fotolia.com