Configuration profiles can be installed on the iPhone, iPod touch, or iPad in order to help Apple diagnose things like battery life problems and to change settings for certain types of network access, among other things. Unfortunately, like many empowered conveniences, they bring with them theoretical security concerns. Namely, bad guys could make a malicious profile and try to trick us into installing it so they can do us harm. Skycure -- a security vendor, keep in mind -- reports:
A malicious profile could be used to remote control mobile devices, monitor and manipulate user activity and hijack user sessions. In addition to being able to route all of the victim’s traffic through the attacker’s server, a more interesting and hazardous characteristic of malicious profiles is the ability to install root certificates on victims’ devices. This makes it possible to seamlessly intercept and decrypt SSL/TLS secure connections, on which most applications rely to transfer sensitive data. A few concrete impact examples include: stealing one’s Facebook, LinkedIn, mail and even bank identities and acting on his/her behalf in these account, potentially creating havoc.
Matthew Panzarino of The Next Web went through a demo:
After the profile was installed, [Skycure CEO Adi Sharabani] demonstrated to me that he could not only read exactly which websites I was visiting, but also scrape keystrokes, searches and login data from apps like Facebook and LinkedIn. To be perfectly clear, this is not a vulnerability within iOS, instead it uses standardized frameworks to deliver a profile that has malicious intent.
To be clear, like any human engineering attack we -- the user -- has to install the malicious profile. It's not dissimilar to Phishing attacks or web popups on Windows or Mac PCs that claim account problems or promise free movies, porn, gadgets, or other scare tactics/enticements to get us to click/tap and install them on our systems. That's because they're not allowed installing themselves, we have to inject them ourselves.
For configuration profiles, you need to tap a link to initiate the install, then confirm the install in a modal pop-up dialog. In some cases, if you have a Passcode set, it might ask for that as well. Two user actions required, maybe three. The certificate also shows what it is going to do. For example, Panzarino's showed VPN settings. That means all his traffic would be sent through someone else's Virtual Private Network. If you're not sure what something means, Google and places like the iMore forums are your friend.
So, just like with desktop web browsers, we have to be careful what we click/tap on. The same advice always applies, be it in real life or virtual systems. Don't talk to strange configuration profiles. Don't take candy from them and don't help them find lost pets.
In other words, don't be panicked, but absolutely be careful. Hit the link below for more on how this works and what you need to look out for.
Source: Skycure, The Next Web
Update: Nick Arnott pointed out I was conflating configuration and provisioning profiles in the article, and that provisioning profiles -- the kind developers issue for ad hoc/beta apps -- likely aren't susceptible to this type of attack.
