A team of researchers from security firm Symantec has discovered a new iOS vulnerability. It’s called trustjacking and allows an attacker to hack an iPhone or iPad remotely just by connecting it to a computer and accepting the permission that asks if we trust the computer.
According to the company’s report, trustjacking exploits an iOS function called iTunes WiFi synchronization, which allows a user to manage the device without physically connecting it to a computer. “A single touch from the owner of the iOS device when the two are connected to the same network allows an attacker to obtain permanent control over the terminal,” says Roy Iarchy of Symantec.
If you own an iPhone or iPad, you should know that when you connect your device to a computer, a message appears where you have to indicate whether or not you trust the computer. If you accept the permission, the computer can access your settings and data, as well as backing up or installing applications, among many other options.
WiFi sync iTunes serves for the iOS devices can be synchronized with iTunes without connecting the device to the computer with a cable. It can be enabled by physically plugging the iPhone or iPad to a computer that we trust and then checking the Synchronize with this iPhone via WiFi box in the Summary section. The function is very useful since it allows you to access your phone or tablet from your computer through the WiFi network, without having to connect it by cable.
What researchers have discovered Symantec is that attackers can take advantage of this feature to hack the iPhone and control it remotely. For this, the only thing that the user would have to do is connect his/her device to a malicious computer or a charger, and even to his/her own computer, and trust him.
The criminal can make the mobile connect to iTunes and enable WiFi synchronization automatically through malware, without the victim having to approve anything or be aware of what is happening. After completing these actions, even if the user disconnects the terminal, in addition, the attacker can connect the device to a VPN server to create a continuous connection, which would allow him/her to access the victim’s mobile phone even when the victim disconnects from the same Wi-Fi network.
Using trustjacking, a cybercriminal can spy on the iPhone’s screen in real time, make a remote backup to access photos, application data or message history, carry out configuration adjustments or install malicious applications, among other things.
After receiving the report from Symantec, the tech giant Apple has added one more layer of security and now asks the user to enter their password in the iPhone to trust the computer to which they connect their mobile. However, the researchers point out that this does not solve anything, since once you have trusted the system the rest of the exploit continues to work. In addition, it would also be possible to exploit it by infecting the victim’s computer with malware.
To prevent an attacker from using trustjacking to hack your iPhone, Symantec recommends that you clean the list of trusted computers from Settings> General> Reset> Reset location and privacy. In addition, to protect your backups so that criminals do not have access to your data, enable encrypted backup copies in iTunes and choose a secure password.
So, what do you think about this? Simply share all your thoughts and opinions in the comment section below.