US Gov't Issues Alert About iOS "Masque Attack" Threat 98
alphadogg writes Three days after security company FireEye warned of an iPhone/iPad threat dubbed "Masque Attack", the U.S. government has issued a warning of its own about this new risk by malicious third-party apps to Apple iOS devices. US-CERT warned: "This attack works by luring users to install an app from a source other than the iOS App Store or their organizations' provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link." Revelations of Masque came on the heels of a related exploit (that also threatens Macs) called WireLurker.
I don't get it... (Score:5, Insightful)
Don't you have to jump through all sorts of hoops to even INTENTIONALLY install an app from an alternate source?
Seems like it would be hard to do it unintentionally.
Re:I don't get it... (Score:5, Informative)
You have to get a link from someone, go somewhere that clearly isn't the apple store, download the app which the phone will warn you about, install the app which the phone will again warn you about and accept enterprise provisioning which the phone will warn you about yet again before the malware can do it's thing?
This takes real work on the part of the user to do that they don't normally, or ever see. It's a problem that they let a developer overwrite other apps, but in terms of it being a vulnerability? Welcome to dumb users doing stupid shit they've been told not to do the last 30 damned years.
Re: (Score:1)
So basically they have to click a link and hit next a few times.
Re: I don't get it... (Score:1)
Actually no. You can't install untrusted apps on iOS without hacking. Not something grandma has to worry about.
Re: (Score:2)
Re: (Score:2)
Repeating the same post several times makes it not more true nor does it give credit to what your mind is remembering ...
Re: (Score:1)
So basically they have to click a link and hit next a few times.
No. You're thinking of Android.
Re: (Score:1)
But we don't have Steve Jobs to tell us that we're doing it wrong!
All bets are off.
Re: (Score:1)
Re: (Score:2)
He did tell you. He was against the Enterprise provisioning system from day one. I can only assume it was because it would make attacks like this possible. The other ways of running non-Apple signed code are all per-device limited (you need an Apple-signed profile with each device’s UDID in it, max of 100 devices). Enterprise provisioning allows running on unlimited devices without needing to know the UDID’s in adv
Re: (Score:2)
This takes real work on the part of the user to do that they don't normally, or ever see.
But, in return, when they jump through all these hoops, their iPhone will run 50% faster and they'll be able to make money just by surfing the web.
Re:I don't get it... (Score:4, Insightful)
Let's also keep in mind that apple apps ONLY run in a sandbox, and this virus does not break out of it. The worst the app can do is be installed if you don't actually go into it and do stuff.
The main danger is that the app could masquarade as a legit app like browser/banking etc and maybe trick you into using it.
But the sheer number of steps needed to install it, then almost crazy foolishly using it afterwards, it isn't much of a threat.
Re: (Score:1)
The same kind of popups are shown to the people who install malware to their Windows machines. And yet they just click next-next-next-ok, as the ad banner promised something cool, like free money or pictures of . No matter what your iGod, Steve the great lied to you, the Apple devices are just as vulnerable to stupid users as any device out there.
One question: Is there any reasonable security scheme that can defeat social engineering 100% of the time?
I'm not trolling; I seriously want to know what Apple could have done to prevent this, and still allow for "corporate" apps.
Re: (Score:3)
You also have to enter your phone’s unlock code (assuming you set one) to install the provisioning profile.
I’d have a *tiny* amount of concern if it was tap-tap-tap-pwn3d, but it’s not something anyone could realistically do accidentally. Do without realizing the impact of it yes, but not “tap the wrong thing and you’re dead”.
At the point that you’re keying in your phone’s password (something you’d never do when installing a normal Apple app store app,
Re: (Score:2)
You Apple apologists are turning me into an iPhobe. Just man up and face the vulns.
No. The GP is right.
This is NOT something that ANYONE can install accidently. You have to jump through some serious hoops to make it happen.
Re:I don't get it... (Score:4, Insightful)
You can't stop viruses that are manually installed by ridiculously dumb users unless you have virus scanners, and even then it's hit and miss. I wouldn't even call it an exploit.
Re: (Score:2, Insightful)
They have to be smart enough to jailbreak, point to an alternative app store, and install a corrupted app.
Or be dumb enough to hand it to a smart friend who can do this.
Re: (Score:1)
actually, they can put the binaries on any webpage. that's how betas are distributed.
it's as easy a clicking a link and saying "yes" twice.
Re:I don't get it... (Score:5, Informative)
actually, they can put the binaries on any webpage. that's how betas are distributed.
it's as easy a clicking a link and saying "yes" twice.
No, you can't. They have to be one of:
(A) signed by Apple (e.g. anything from the App store)
(B) a developer signed binary running on a device enrolled under the developer's key as one of a limited number of devices
(C) enterprise enrolled and signed with the enterprise key
The exploit takes advantage of pirate App stores in china which require you to accept enterprise enrollment in their enterprise key, and then download binaries from their "App Store" after paying a reduced rate for them (they're pirated) that happen to have had malware installed into the app bundle prior to being signed by the enterprise key belonging to the store (and the store is not checking the apps it puts up for sale, because they are all purchased and then uploaded from jailbroken iPhones).
So it takes a lot of work, and most of the people at risk from this are in China and basically stealing Apps.
No. (Score:4, Insightful)
So identical to the Android malware, except there's less of it because iPhones are less popular in China?
No. Anyone who wants to can put up an Android app store, or sell an android app with malware in it for side-loading onto the Android phone. Android is *much* more vulnerable, depending on who you trust; trust the wrong person/company, and you're compromised.
To get that enterprise provisioning on your iPhone, you have to give up all other enterprise provisioning and sign up as a device enrolled as an "employee" of that App store, and you do it knowing full well that you're doing it to get pirated apps at a cut rate or free pricetag because you are a criminal.
Re: (Score:2)
either the article is wrong or they're doing a jailbreak.
and that would be interesting for would be jailbreakers.
because basically, on ios you need to add the testers phones to a list before they can get the testing version. there's a limit on how many testers you can have.
on android, all you need is the tester to switch a setting to allow him/her to install your .apk that is not from a trusted source. the tester doesn't even need a google account.
on windows phone, you just need to jump off a cliff, upload
Re: (Score:1)
This isn't quite correct. You can do an Enterprise distribution using an Enterprise developer account and deploy out without jailbreaking the phone or adding the devices to a list or anything. However the Enterprise developer account is more expensive than an individual account (around $500 or so iirc), and Apple can revoke it if they find out it is being used to distribute a bad app. The window that it would be possible to exploit this should be fairly short I would think, measured in days not weeks.
I d
Re: (Score:1)
either the article is wrong
I see. So you're saying FireEye are holding it wrong?
No, he's saying that the author of the article is either being deliberately misleading or is an idiot.
Re: (Score:2)
Re: (Score:2)
Re: I don't get it... (Score:1)
Re: (Score:2)
No, this is unnecessary. The malicious applications are signed as an enterprise application, so no jailbreaking is necessary. They are distributed using Apple's standard OTA distribution mechanism designed for enterprise applications and beta testing, so no alternative App Store is necessary.
What happens is that the user goes to a malicious/compromised website, this redirects them to the applica
Re: (Score:1)
You can't stop viruses that are manually installed by ridiculously dumb users unless you have virus scanners, and even then it's hit and miss. I wouldn't even call it an exploit.
B-B-B-B-But Apple said I was protected and viruses dont happen to them.
Re: (Score:1)
B-B-B-B-But Apple said I was protected and viruses dont happen to them.
Find me one instance where Apple said that.
[Crickets]
Re: (Score:2)
Yeah my understanding was that you had to jailbreak your iphone first with Cydia or some such tool before you can buy apps from someplace other than Apple.
Re: (Score:2)
cydia isn't a jailbreak tool - it's an alternate app store.
Pangu is a jailbreak tool.
Re: (Score:2)
Re: (Score:2)
Yes, you can for sure install untrusted apps on iOS without hacking. I can remember from the top of my head at least three ways. Phones in dev mode (not the problem here), Enterprise certs and beta software distributed through TestFlight.
I believe that the limit on TestFlight is 100 phones, and those have to be added to a "List".
Enterprise Certs are easily determinable and Revokable by Apple.
The system is just about as secure as could reasonably be designed.
Re: (Score:2)
All the modes you mention count as hacking, as an ordinary user can not do that.
Perhaps you forgot are not even aware what 'hacking' actually means.
Re: (Score:1)
Re: (Score:2)
If you are aware of the differences how can you claim a mere user does not need to 'hack' to get random software on an iOS device?
Re: (Score:3)
All of those hoops are removed if the app is signed by an Apple 'enterprise deployment' certificate. Someone anyone can get just by asking.
No, those are all the hoops [dropbox.com] you have to go through to accept the "enterprise deployment" certificate profile the first time, then accept the app launching the first time. Also, the phone needs to be unlocked to accept any of these dialogs.
But then Apple can just revoke the cert (which it did for WireLurker) and blacklist the malware on the Mac side (which it also did for WireLurker).
Re: (Score:1)
All of those hoops are removed if the app is signed by an Apple 'enterprise deployment' certificate. Someone anyone can get just by asking.
Bzzzt! Wrong!
You have to be Registered as an "Enterprise" Developer [apple.com]; which is a different level from the regular $99/yr. iOS Dev. Registration.
And since that means these Apps are "signed", it should be about 5 seconds before their Cert. was revoked by Apple.
Re: (Score:1)
Considering 92% of the mobile malware is on Android products, how stupid are those users? Yeah, that is what I thought.
Re: (Score:2, Insightful)
A large amount of malware on other platforms, mostly Windows, has been due to ignorant users willfully installing malware; bundled toolbars and adware that come with otherwise legit software are probably the best example.
Granted there are zero-day exploits and sometimes exploits in third party software (*cough* adobe *cough*) but the stuff I mentioned a moment ago is most common vector for malware infection.
Now Apple's platform is finally popular enough among average users that it is profitable for the less
Re: (Score:2)
Users who steal software deserve to get their devices infected with every piece of malware in existence. A lot of software in the Apple Store is free and most of the rest of it is rather inexpensive. I don’t sympathize even a tiny little bit with anyone who tries desperately hard to get something for nothing and then gets royally ripped off. Anyone who goes to certain sections of a large city has a good chance of getting mugged. Anyone who goes to certain places on the Internet stands a good chance of
One valid reason for enterprise side loading... (Score:3)
Users who steal software deserve to get their devices infected with every piece of malware in existence. A lot of software in the Apple Store is free and most of the rest of it is rather inexpensive. I don’t sympathize even a tiny little bit with anyone who tries desperately hard to get something for nothing and then gets royally ripped off.
One valid reason for enterprise side loading is if the App is not offered through iTunes in your region. In many cases, it's not offered worldwide, due to all sorts of regulatory restrictions; this is the same as for music you get from iTunes, where the developer wants market segmentation, or the regulators (government, etc.) in a given area wants segmentation or control.
In those cases, the only way to get the app for your region is to pirate it. For example, in China, as in Russia and the Ukraine, as wel
Re: (Score:2)
Re: (Score:2)
Remember that "places where they shouldn't be in the first place" includes sites that serve ads from 3rd party servers.
Re: (Score:1)
Whereas the Sybian-based ones will get you off.
Re: (Score:1)
Group hug!
false flag? (Score:4, Interesting)
since when does the govt issue virus alerts? My best guess is that NSA is alarmed by uncrackable iphone encryption, so they're doing everything they can to scare people off their iphones and on to something more easy to control like droid or bby
Re:false flag? (Score:4, Informative)
since when does the govt issue virus alerts?
Since at least 2009, [us-cert.gov], possibly earlier [us-cert.gov].
Re: (Score:2)
http://it.slashdot.org/story/1... [slashdot.org]
http://it.slashdot.org/story/1... [slashdot.org]
http://books.slashdot.org/stor... [slashdot.org]
Re: (Score:2)
Blast from the past (Score:5, Funny)
Hi,
This is an Albanian virus. As you know we are not so technical
advanced as in the West. We therefore ask you to delete all your
files on your harddisk manually and send this email to all your
friends.
Thanks for helping us,
The Albanian Hackers
When I saw it many years ago it looked like a good joke
Re: (Score:2)
There is a bug in the e-mail. It should be 'We therefore ask you to send this email to all your friends and then delete all your files on your harddisk manually'.
You still need some of those files on your harddisk in order to send an e-mail. Friends with less than average intelligence might not realize that.
In other words (Score:1)
Re: (Score:3)
Actually in the case of iOS it is substantially better. Application sandboxing makes it a lot harder to get pwned.
Re: (Score:2)
No so hard [slashdot.org], as it turns out.
Re: (Score:1)
Gwydion Lashlee-Walton approves.
Damn! I tried to install this malware... (Score:2)
...but it's written for iOS 7 and above. Won't run on my 3Gs.
I feel so left out!
A total non article .. (Score:1)
What is the point about this 'security alert'. If anyone installs an app from some malicious third-party site then of course they are going to get exploited. This is nothing more than social engineering, nothing to see here, moving on. What is this even doing as an article on slashdot?