Attacks/Breaches

8/7/2015
09:15 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Risk of Data Loss From Non-Jailbroken iOS Devices Real, Security Firm says

Data from the Hacking Team reveals actively used exploit for breaking into and stealing data from registered iOS systems, FireEye says.

Mobile devices based on Apple’s iOS are generally considered safer against malicious hacking threats than Android-based systems. But they are not immune from data stealing attacks altogether.

Data leaked by the intruders who broke into the Hacking Team’s network last month suggest the Italian security firm has exploits for infiltrating into, and stealing data from, jailbroken as well as non jailbroken iOS devices.

That same leaked information could also give other hackers potent new clues and ready-to-use techniques for carrying out similar attacks against iOS users, security firm FireEye said in a report released this week.

FireEye examined over 400GB of Hacking Team data leaked by the attackers and discovered that the company has sophisticated, remotely-controllable exploits for all major mobile platforms including iOS, Android, Windows Phone, BlackBerry and Symbian.

Among the most significant of the exploits is an iOS Remote Control System (RCS) agent that can be used to access information from a compromised system and exfiltrate it to an attacker-controlled system.

The Hacking Team tool is disguised as an innocuous newsstand app and comes with a transparent icon that conceals its presence on an iOS device, FireEye noted in its report. Once the app is installed and trusted by a user, it can be used to steal contact and calendar information, photos, video and other data on the compromised device. The app also features a keyboard extension capable of recording the keystrokes made by a user and sending it to a remote server.

The Hacking Team app is a weaponized version of an iOS exploit dubbed the ‘Masque Attack’ that FireEye had first blogged about last year. The attack method takes advantage of a now-patched flaw in multiple versions of iOS that allowed attackers to replace a legitimate application installed on a iOS device with a malicious application so long as both the apps had the same binary identifier or file name. The vulnerability resulted from Apple’s failure to ensure that two applications with the same identifier had matching digital certificates, FireEye had noted in its report. This allowed attackers to create malicious applications with binary identifiers belonging to legitimate apps, sign it with an enterprise or developer certificate, and distribute it to unsuspecting users.

In its analysis of the leaked data from the Hacking Team, FireEye discovered 11 Masque Attack type iOS apps that were disguised to appear like re-packaged versions of applications like Facebook, Whatsapp, Twitter, Viber, and Skype. “Because all the bundle identifiers are the same as the genuine apps on App Store, they can directly replace the genuine apps on iOS devices prior 8.1.3,” FireEye said.

The data reviewed by FireEye suggests that the Masque Attack type apps developed by the Hacking Team have been deployed in the field for months, the report added.

“The risks of data losses via iOS devices are real,” said Raymond Wei, senior director, mobile development at FireEye. “The risks are increasing due to the leak of Hacking Team data, which has provided cues and even ready-to-use tools for less technically capable attackers,” he said in an email.

The trend highlights the need for enterprises to control access to corporate data when malware is detected on an employee’s mobile device, Wei said. It also shows why administrators need to restrict installation of iOS applications on corporate owned devices unless the applications are obtained from the official App Store, he said. Users with personally owned devices should be urged to avoid installation of third-party applications on devices that are used to access and store corporate data, he added.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Privacy Ops: The New Nexus for CISOs & DPOs
Amit Ashbel, Security Evangelist, Cognigo,  2/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1698
PUBLISHED: 2019-02-21
A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External E...
CVE-2019-1700
PUBLISHED: 2019-02-21
A vulnerability in field-programmable gate array (FPGA) ingress buffer management for the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module (PID: FPR9K-DNM-2X100G) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) conditio...
CVE-2019-6340
PUBLISHED: 2019-02-21
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RE...
CVE-2019-8996
PUBLISHED: 2019-02-21
In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow.
CVE-2019-1681
PUBLISHED: 2019-02-21
A vulnerability in the TFTP service of Cisco Network Convergence System 1000 Series software could allow an unauthenticated, remote attacker to retrieve arbitrary files from the targeted device, possibly resulting in information disclosure. The vulnerability is due to improper validation of user-sup...