wirelurker

Apple has now blocked the launching of Mac apps infected with WireLurker malware, after earlier revoking security certificates to prevent them being installed on new devices. WireLurker was capable of infecting non-jailbroken iOS devices when connected to a Mac running one of the compromised apps. Over 400 Mac apps in a third-party Chinese app store were affected.

In a written statement, an Apple spokesperson said:

We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.

However, a security researcher says that it would be easy for other attackers to exploit the exact same weakness … 

NordVPN

Jonathan Zdziarski responded to the Palo Alto Networks white paper with a blog post in which he argues that while WireLurker was easy to block, that may not be true of other attacks using the same approach.

The bigger issue here is not WireLurker itself; WireLurker appears to be in its infancy, and is mostly a collection of scripts, property lists, and binaries all duct-taped together on the desktop, making it easy to detect. The real issue is that the design of iOS’ pairing mechanism allows for more sophisticated variants of this approach to easily be weaponized […]

While WireLurker appears fairly amateur, an NSA or a GCHQ, or any other sophisticated attacker could easily incorporate a much more effective (and dangerous) attack like this.

The problem, he explains, is the extent of the power granted to trusted devices. Once you pair an iPhone and a Mac, say, and say yes to each becoming a trusted device, there is virtually no limit to what the Mac is able to do to the iPhone. Zdziarski believes there are three simple steps Apple should take to reduce the risks.

First, he says, users need to be given much more specific warnings about the dangers of installing unsigned apps. At the moment, a simple OK prompt is all it takes for a Mac to install a new app on an iOS device.

Second, Apple should disable Enterprise Mode by default. Enterprise Mode is intended to allow businesses to easily roll out bespoke software to iOS devices, but a feature used by a small minority of users puts everyone at risk.

A vast majority of non-enterprise users will never need a single enterprise app installed, and any attempt to do so should fail. So why doesn’t Apple lock this capability out unless it’s explicitly enabled [by] a switch in settings.

Third, Mac apps should have to ask the user for permission to install software on iOS devices, with only iTunes and Xcode granted permission by default.

Apple should manage access to “Trusted Pairing Relationships” with devices the same way it manages access permissions for contacts and geolocation. An application should have to ask for permission to access this privileged data.

The blog also goes into more technical detail about additional steps Apple could take, but the above would, he says, be easy to implement.

About the Author

Ben Lovejoy's favorite gear