NEW YORK, NY – August 11, 2014
A reported security vulnerability in Apple iOS devices by which outsiders could potentially access users’ personal data through pairing records has been validated in a whitepaper released by the incident response team at Stroz Friedberg, a global investigations, intelligence and risk management company.
In response, Stroz Friedberg has developed an open source tool, “unTRUST,” to allow enterprise and personal users to protect their data on iOS devices such as the iPhone and iPad. The whitepaper also lists recommendations to mitigate the security risk.
“We are proactively sharing the unTRUST tool and free recommendations with corporate America,” said Erin Nealy Cox, Executive Managing Director and lead of the incident response practice at Stroz Friedberg. “Enterprises today rely heavily on mobile devices for day-to-day business operations. The breach of even one employee’s iPhone has the potential to expose a company’s valuable information to their competitors or the public at-large.”
The vulnerability an occur when a user connects his or her device to a computer via USB cable and selects “Trust” when the “Trust This Computer?” dialog box pops up. Users have the ability to elect to trust multiple computers and the potential for exploit increases as the number of trust relationships increase.
A pairing record is then created on both the device and the computer in order for them to facilitate a variety of services. An unauthorized person with access to a “trusted” computer or a modified USB charger can exploit these service’s USB, remotely or over Wi-Fi and gain access to sensitive personal data. This includes user, application, diagnostic, file and system data. Stroz Friedberg developed its unTRUST tool to remove the pairing records at the heart of the issue.
The security hole was first reported during the Hackers on Planet Earth (HOPE) conference in July by digital forensics scientist Jonathan Zdziarski. He revealed several services present on iOS devices that can possibly provide unannounced packet-sniffing and data-dumping capabilities that bypass device settings and back-up encryption.
Stroz Friedberg undertook an effort to independently test and validate Zdziarski’s research and was able to reproduce many of his findings on iOS devices running iOS versions 7 and 8. Details about the process and the unTRUST tool are outlined in the whitepaper, entitled “Mitigating Potential Pairing Record Risks in Apple iOS Devices” and authored by Stroz Friedberg digital forensic experts Cheri Carr and Daniel Blank.
“Stroz Friedberg is committed to protecting businesses from potential security risks,” Cox said. “IT departments are increasingly adopting Apple products for use by the workforce because they are already extremely popular with employees. By taking a few proactive measures, they can be assured of the security of these devices.”
Stroz Friedberg’s unTRUST tool is publicaly accessible through its GitHub repository. The firm also recommends general mitigation strategies, among them:
- Delete all pairing records that currently exist on the iOS device.
- Trust only one computer (a computer necessary for syncing and updates) and implement security controls on the iOS device and the “trusted” computer.
- Do not allow other untrusted connections, including connections to other unnecessary computers, and other Internet-connected devices (e.g. kiosk computers).
- Because the trusted relationship can be exploited through Wi-Fi, disable Wi-Fi when not needed.
- For trusted computers, implement the following, where possible:
- Encrypt data-at-rest.
- Ensure operating system and application patching is kept up-to-date.
- For iOS devices, implement the following, where possible:
- Enable complex passwords.
- Do not store account credentials in clear text on the device.
- Ensure iOS and apps are kept up-to-date.
- Corporate should use mobile device management apps such as MobileIron or Good Technology for protection of sensitive documents and emails.
“Mitigating Potential Pairing Record Risks in Apple iOS Devices” is available at www.strozfriedberg.com. The source code and installation files for unTRUST can be accessed at https://github.com/strozfriedberg/unTRUST.