iOS AirDrop vulnerability allows for malware installation on Apple devices

In addition to the usual benefits that come with an updated operating system – new enhancements that make your device easier to use – there are other, less visible advantages to downloading the latest software.

Security is one of these, and, as Apple launches iOS 9, this understated benefit has been highlighted by an expert who has come across a flaw.

Mark Dowd, director and founder of Azimuth Security, explained to Forbes that any iOS device that supports the AirDrop feature is vulnerable to a certain type of cyberattack.

This applies to all of Apple’s most recent products (from iOS 7), including Macs, iPhones and iPads, Mr Dowd noted.

He showed that via AirDrop – which allows individuals to share photos, videos, websites and locations with other Apple devices – an attacker can install malware on a victim’s smartphone or tablet.

This is achieved through a directory traversal attack, which basically gives a cybercriminal access to certain parts of an operating system that are usually off-limits.

Once in, the attacker can then change configuration files, meaning that the breached device can now install malicious apps that otherwise appear to have been authenticated by Apple’s Developer Enterprise Program.

“To make the iPhone accept his certificate, Mr Dowd’s AirDrop attack forced an installation of a provisioning profile for his app,” the online news provider detailed.

“He then altered Springboard, Apple’s tool for managing the iOS home screen, to trick the phone into believing his ’enterprise’ was already accepted as trusted by the user when it shouldn’t have been.

“He then copied his malware files into the directory where third-party apps were located.”

Mr Dowd has advised users to upgrade their Apple devices immediately to avoid falling victim to this attack.

Last week, at Apple’s Keynote event in San Francisco, it was revealed that iOS 9 comes with additional security features.

There are two notable developments – a stronger passcode and a revamped two-factor authentication process (2FA).

By “by building [2FA] it directly into iOS, it [is] harder for others to gain unauthorized access to your Apple ID,” the tech giant stated at the time.

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.