Two experts at Symantec, a cybersecurity company, have uncovered a frightening vulnerability in iPhone and iPad operating systems that allows a hacker to take control of your device.
You could be targeted, for example, during something as routine as charging your phone at the airport at a charger that contains malware. Or by connecting your device to a computer that is infected or might be infected in the future.
And here’s the thing: the hacker can maintain control over your device, remotely – even after you disconnect from the computer or charger, said Adi Sharabani, Symantec senior vice president of modern OS security, in a phone interview on Wednesday. He and his colleague Roy Iarchy, who discovered the problem, outlined their findings at a recent security conference in San Francisco. Iarchy is Symantec head of research for the same division.
The problem is launched when you first connect your phone or iPad with a cord, and a popup appears with the message “Trust This Computer? Your settings and data will be accessible from this computer when connected.” You then have the option to click on “Trust” or “Don’t Trust.”
This message leads most people to think their contents – photos, text messages and other items stored on the phone – is accessible on the computer only while hooked up.
But, “once they (users) hit ‘trust,’ it’s the end of the game,” Sharabani said.
(When this same computer tries to connect to your phone in the future, the “trust” option is automatic and you will no longer get the message. Even worse, malicious actors can access your device even if you never connect to your computer again.)
Even if your own computer or someone else’s is clean when you connected, if it’s hit by a hacker months later, you are still vulnerable if you and the attacker are connected to the same network. Same goes for selling your computer or losing it to a thief – the new owner can exploit the vulnerabilty and hack into your iPhone or iPad.
(If you’re interested in the technical aspect, the point of entry for this problem is the iTunes Wi-Fi sync option on phones, which can also leverage some capabilities Apple built for app developers, Sharabani and Iarchy say. It allows devices to be synced with iTunes without having to physically connect to a computer. But that feature is just the entry point for trustjacking. You don’t ever have to use this option to be vulnerable.)
While the two researchers disclosed the vulnerability to Apple, which has tried to address the issue, they say the fixes don’t go far enough.
“At the end of the day, what we have here is an … opportunity for attackers to do something really wrong,” Sharabani said.
So what to do?
Sharabani recommends the following:
• Reset your device’s privacy controls, by going to Settings, then General, Reset, Reset Location & Privacy. Now, you will have the option of re-authorizing all previously connected computers next time you connect your device. Iarchy adds that there’s no real reason to allow the trust option when you’re just charging your phone.
• To protect device backups and keep hackers from getting some of your private information, enable the encrypted backups option in iTunes on your computer. Use a strong password.
◊ ◊ ◊
Be aware that if you’re filing a claim for money from the Western Union settlement, the federal government will ask for your Social Security number.
The U.S. Justice Department says that’s because it must first check to make sure you don’t owe any money to the government. If you do, your refund amount could be reduced by the amount you owe. The deadline for applying is May 31.
The reimbursements are the result of a $586 million settlement between the federal government and Western Union and covers people who got ripped off between Jan. 1, 2004, and Jan. 19, 2017. For a secure application, go to www.FTC.gov/WU.