Apple seems to have too much trust in USB
From the Article
The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.
Their attack requires the victim's computer to have malware installed
Wang and the researchers developed a man-in-the-middle attack that can trick an Apple device that's connected to a computer into authorizing the download of an application using someone else's Apple ID.
Wang's team found they could sneak a developer provisioning file onto an iOS device when it was connected via USB to a computer. A victim doesn't see a warning.
That would allow for a self-signed malicious application to be installed. Legitimate applications could also be removed and substituted for look-alike malicious ones.
"The whole process can be done without the user's knowledge," Wang said
The host computer has access to a device not only through iTunes but also via a protocol called Apple File Connection, which is used for accessing images or music files
The researchers recovered login cookies, including those for Facebook and Google's Gmail.
Follow this link for additional details:
No comments:
Post a Comment