Apple has now blocked the launching of Mac apps infected with WireLurker malware, after earlier revoking security certificates to prevent them being installed on new devices. WireLurker was capable of infecting non-jailbroken iOS devices when connected to a Mac running one of the compromised apps. Over 400 Mac apps in a third-party Chinese app store were affected.
In a written statement, an Apple spokesperson said:
We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.
However, a security researcher says that it would be easy for other attackers to exploit the exact same weakness …
Jonathan Zdziarski responded to the Palo Alto Networks white paper with a blog post in which he argues that while WireLurker was easy to block, that may not be true of other attacks using the same approach.
The bigger issue here is not WireLurker itself; WireLurker appears to be in its infancy, and is mostly a collection of scripts, property lists, and binaries all duct-taped together on the desktop, making it easy to detect. The real issue is that the design of iOS’ pairing mechanism allows for more sophisticated variants of this approach to easily be weaponized […]
While WireLurker appears fairly amateur, an NSA or a GCHQ, or any other sophisticated attacker could easily incorporate a much more effective (and dangerous) attack like this.
The problem, he explains, is the extent of the power granted to trusted devices. Once you pair an iPhone and a Mac, say, and say yes to each becoming a trusted device, there is virtually no limit to what the Mac is able to do to the iPhone. Zdziarski believes there are three simple steps Apple should take to reduce the risks.
First, he says, users need to be given much more specific warnings about the dangers of installing unsigned apps. At the moment, a simple OK prompt is all it takes for a Mac to install a new app on an iOS device.
Second, Apple should disable Enterprise Mode by default. Enterprise Mode is intended to allow businesses to easily roll out bespoke software to iOS devices, but a feature used by a small minority of users puts everyone at risk.
A vast majority of non-enterprise users will never need a single enterprise app installed, and any attempt to do so should fail. So why doesn’t Apple lock this capability out unless it’s explicitly enabled [by] a switch in settings.
Third, Mac apps should have to ask the user for permission to install software on iOS devices, with only iTunes and Xcode granted permission by default.
Apple should manage access to “Trusted Pairing Relationships” with devices the same way it manages access permissions for contacts and geolocation. An application should have to ask for permission to access this privileged data.
The blog also goes into more technical detail about additional steps Apple could take, but the above would, he says, be easy to implement.
FTC: We use income earning auto affiliate links. More.
Apple could do some of those things, but I think he sorely underestimates the problem with turning Enterprise off by default. Many Enterprise devices and users are no smarter/savvy than an average user, and these devices have to be managed remotely and/or in en masse.
Yep, it’s always a balancing act with these things.
Agreed. Also, I find this statement particularly useless:
“users need to be given much more specific warnings about the dangers of installing unsigned apps”
I have lost count of how many times I’ve seen users completely click thru warning dialogs, no matter how subtle or flashy, without even bothering to read what it says. These users often either click thru, or rush to tech support (me) and ask “What does this mean?” even though it’s written in plain english…
Over the years of tech support, I’ve come to always view the end-user as dipshit stupid, until they prove otherwise. That way, I know they’ve screwed something up in a very bone-headed way, and I know what to look for.
While some of Mr. Zdziarski’s advice should be taken to heart by Apple, this dialog warning suggestion is practically worthless.
All one has to do to know it’s worthless, is look at Android apps and how people just glaze over App Permissions :(
I suspect you’re right. Perhaps we need more colorfully-worded alerts: “So, one in six of these apps is infected with malware. I know what you’re thinking. Did I install six unsigned apps or only five? Well to tell you the truth in all this excitement I kinda lost track myself. But being this is a Chinese app store, you’ve gotta ask yourself one question: Do I feel lucky? Well, do ya, punk?”
Good they acted fast at least.
Apple moved quick and Is still light years ahead of windows in this area.
What Apple should do is ignore people telling them what to do. I don’t want to see a giant “this app is not trusted and will kill your puppies” message. Most won’t read it anyway.
Turn off enterprise by default? You gotta be kidding me. That’s one of the stupidest recommendations I’ve ever heard..
I love how these things always seem to gloss over the “user downloaded pirated software that happened to have malware in it” bit and go on to blame Apple for it.
Indeed! The source of this outbreak was the third-party, or should I say “pirate” app store in China. These people were looking to save a couple of bucks and now they paid the price. Honestly, they’ll get very little sympathy from me, as they were plain and simply stupid for doing this.
The fact that Apple came to their rescue and disabled WireLurker at all is amazing, and they should be counting their blessings for this.
Anyone who goes out to pirate software should expect a little extra “sumpthin’ sumpthin'” with their download.