Security researchers at Symantec have found a new vulnerability which could allow hackers to gain access to your iPhone and iPads without your knowledge.
They call this exploit as "trustjacking," once a user authorizes their device is connected to the same Wi-Fi network as a hacker, which allows you to wirelessly manage iOS devices.
Symantec's senior vice president, Adi Sharabani told WIRED last week, "Once this trust is established, everything is possible. It introduces a new vector of attack."
The first step requires you to connect your device to the computer via a USB cable after setup is complete it did not give any alerts or warnings that the device can be accessed even after the cable is disconnected.
Once the access is granted, there is no way to deauthorize the permission. However, you can revoke access to authorized computers.
If hackers manage to get in or control your iOS device then the risk of all your personal data like photos, app information, and SMS/iMessage chats would be easily compromised.
We discovered this by mistake actually," Sharabani says. "Roy was doing research and he connected his own iPhone to his own computer to access it. But accidentally he realized that he was not actually connected to his own phone. He was connected to one of his team members’ phones who had connected their mobile device to Roy’s desktop a few weeks before. So Roy started to dig into what exactly he could do and find out if he were an attacker."
Researchers say that they had notified Apple of the vulnerability, and Apple has implemented a solution to deal with this issue. However, the team of researchers is not pleased with the solution implemented to address the problem of Trustjacking attacks.
"While we appreciate the mitigation that Apple has taken, we’d like to highlight that it does not address Trustjacking in a holistic manner. Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work as described," Iarchy said today in a blog post.
"Unfortunately, there is no way to list all of the trusted computers and revoke access selectively," the expert added. "The best way to ensure that no unwanted computers are being trusted by your iOS device is to clean the trusted computers list by going to Settings > General > Reset > Reset Location & Privacy, now you will need to re-authorize all previously connected computers next time you are connecting your iOS device to each device."
They call this exploit as "trustjacking," once a user authorizes their device is connected to the same Wi-Fi network as a hacker, which allows you to wirelessly manage iOS devices.
Symantec's senior vice president, Adi Sharabani told WIRED last week, "Once this trust is established, everything is possible. It introduces a new vector of attack."
The first step requires you to connect your device to the computer via a USB cable after setup is complete it did not give any alerts or warnings that the device can be accessed even after the cable is disconnected.
Once the access is granted, there is no way to deauthorize the permission. However, you can revoke access to authorized computers.
If hackers manage to get in or control your iOS device then the risk of all your personal data like photos, app information, and SMS/iMessage chats would be easily compromised.
We discovered this by mistake actually," Sharabani says. "Roy was doing research and he connected his own iPhone to his own computer to access it. But accidentally he realized that he was not actually connected to his own phone. He was connected to one of his team members’ phones who had connected their mobile device to Roy’s desktop a few weeks before. So Roy started to dig into what exactly he could do and find out if he were an attacker."
Researchers say that they had notified Apple of the vulnerability, and Apple has implemented a solution to deal with this issue. However, the team of researchers is not pleased with the solution implemented to address the problem of Trustjacking attacks.
"While we appreciate the mitigation that Apple has taken, we’d like to highlight that it does not address Trustjacking in a holistic manner. Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work as described," Iarchy said today in a blog post.
"Unfortunately, there is no way to list all of the trusted computers and revoke access selectively," the expert added. "The best way to ensure that no unwanted computers are being trusted by your iOS device is to clean the trusted computers list by going to Settings > General > Reset > Reset Location & Privacy, now you will need to re-authorize all previously connected computers next time you are connecting your iOS device to each device."