Configuration profiles can be installed on the iPhone, iPod touch, or iPad in order to help Apple diagnose things like battery life problems and to change settings for certain types of network access, among other things. Unfortunately, like many empowered conveniences, they bring with them theoretical security concerns. Namely, bad guys could make a malicious profile and try to trick us into installing it so they can do us harm. Skycure -- a security vendor, keep in mind -- reports:
A malicious profile could be used to remote control mobile devices, monitor and manipulate user activity and hijack user sessions. In addition to being able to route all of the victim’s traffic through the attacker’s server, a more interesting and hazardous characteristic of malicious profiles is the ability to install root certificates on victims’ devices. This makes it possible to seamlessly intercept and decrypt SSL/TLS secure connections, on which most applications rely to transfer sensitive data. A few concrete impact examples include: stealing one’s Facebook, LinkedIn, mail and even bank identities and acting on his/her behalf in these account, potentially creating havoc.
Matthew Panzarino of The Next Web went through a demo:
After the profile was installed, [Skycure CEO Adi Sharabani] demonstrated to me that he could not only read exactly which websites I was visiting, but also scrape keystrokes, searches and login data from apps like Facebook and LinkedIn. To be perfectly clear, this is not a vulnerability within iOS, instead it uses standardized frameworks to deliver a profile that has malicious intent.
To be clear, like any human engineering attack we -- the user -- has to install the malicious profile. It's not dissimilar to Phishing attacks or web popups on Windows or Mac PCs that claim account problems or promise free movies, porn, gadgets, or other scare tactics/enticements to get us to click/tap and install them on our systems. That's because they're not allowed installing themselves, we have to inject them ourselves.
For configuration profiles, you need to tap a link to initiate the install, then confirm the install in a modal pop-up dialog. In some cases, if you have a Passcode set, it might ask for that as well. Two user actions required, maybe three. The certificate also shows what it is going to do. For example, Panzarino's showed VPN settings. That means all his traffic would be sent through someone else's Virtual Private Network. If you're not sure what something means, Google and places like the iMore forums are your friend.
So, just like with desktop web browsers, we have to be careful what we click/tap on. The same advice always applies, be it in real life or virtual systems. Don't talk to strange configuration profiles. Don't take candy from them and don't help them find lost pets.
In other words, don't be panicked, but absolutely be careful. Hit the link below for more on how this works and what you need to look out for.
Source: Skycure, The Next Web
Update: Nick Arnott pointed out I was conflating configuration and provisioning profiles in the article, and that provisioning profiles -- the kind developers issue for ad hoc/beta apps -- likely aren't susceptible to this type of attack.
Someone mailed an AirTag to themselves to see if they could track its route
Just how good are AirTags? That's something YouTuber AirtagAlex wanted to find out, so they mailed one to themselves.
Will we ever get a new iPad mini?
Some of us thought we'd see a new iPad mini during the Apple 'Spring loaded' event, but that wasn't the case. Why does Apple continue to neglect the smallest iPad?
Kuo: Apple will ship an 8-inch foldable iPhone in 2023
Apple is rumored to be working on a foldable iPhone and analyst Ming-Chi Kuo says that it will ship around 20 million of them in 2023.
Keep your iPhone 12 mini pristine with a great case
The iPhone 12 mini fits more easily in your hand, but that doesn't mean drops can't happen. Just in case, we've rounded up some of the best iPhone cases for your iPhone 12 mini.