Potentially nasty new iPhone security flaw discovered

Wuh-oh! Considering its popularity and the number of handsets floating around out there compared to the number of security exploits discovered thus far, I’d say Apple has done a pretty good job of keeping things locked down.

As this just-discovered flaw proves, however, nobody’s perfect.

You can read the full technical details of the exploit here, but to make one hell of a long story short: the iPhone allows settings configuration files to be installed over-the-air through Safari, primarily to help enterprise businesses setup a bunch of iPhones as quickly as possible. We’ve known this for a while – it’s a crucial part of easily enabling tethering on jailbroken iPhones. The user must must confirm the installation manually, and the iPhone tells you who it’s from and whether or not it’s a trusted source – which (we hope) most would be smart enough not to do in standard cases.

The particularly nasty part here, however, is that the anonymous hackers reporting the flaw were not only able to make the configuration file report back as “Verified”, but also indicate that it was straight from “Apple Computer” themselves. From that point, a pinch of clever web design and a dash of social engineering would be enough to convince the vast majority of users who stumble across a malicious update that it’s as legit as can be.

So once it’s installed, what harm can be done? In theory, it could be used to reconfigure the iPhone’s proxy settings, allowing hackers to redirect all traffic through a server of their choosing. It could also be used to wreak havoc on WiFi/e-mail settings, and disable the use of Safari, Mail, and a handful of other first-party iPhone apps. Worse yet, it’s possible to set the configuration file so that the user can’t remove it – so once it’s installed, getting it off the handset would require a full wipe.

Let’s hope there’s some way to fix all of this without nerfing the over-the-air configuration process all together, if only for the sake of I.T. guys everywhere. In the mean time: if you see a screen like the one in the screenshot above and you weren’t intending on provisioning your handset with new settings, you should certainly avoid hitting the “Install” button.

[Via ThreatPost]