8 comments

[ 2.8 ms ] story [ 26.5 ms ] thread
the Chinese government denied the claims and was backed by state-owned internet provider China Telecom, which said the accusation was "untrue and unfounded".

I cant quite put my finger on it, but an isp chiming in and saying it wasnt the government just strikes me as weird.

A more informative technical explanation is given here: http://www.zdziarski.com/blog/?p=4140

TL;DR: Pirated OSX apps with components that listen for iphone usb connections, which then gathers some metadata from the phone, and if the phone is jailbroken, it also grabs actual data (imessages etc) by uploading an ios backdoor component that hooks onto the commonly installed mobilesubstrate jailbreak helper.

Also, for non-jailbroken iphones, it uses an enterprise adhoc distribution certificate to install additional ios apps which apparently has been backdoored - article doesn't specify which apps, but apparently there's a risk that one could replace well-known apps like facebook by using the same bundle-id as the legit ones. I guess the user will be prompted on first run to accept the enterprise cert.

All in all it doesn't appear to exploit any vulnerabilities, just using existing features for what they are worth.

Damn thats nasty. Thanks for the info!
Is this the first time there's been a credible attack against non-jailbroken phones?
Doubtful, and ios7 (and 8) tightened up on pairing probably because of the scare of leaking data when charging with an untrusted USB peer. But maybe one of the first high-profile, mass-distributed ones?

Also, don't forget that jailbreaking itself by definition proves the possibility of attacking a non-jailbroken device via USB (or sometimes, even via the web in mobile safari). The fact that you get a visible Cydia app icon and optionally an SSH daemon with a known root password just means this time the attacker (hopefully, you) was benevolent.

> Doubtful, and ios7 (and 8) tightened up on pairing

They could still do more. It would be nice to be able to see a editable list of trusted devices. At the moment, on first connection, a "do you trust this computer?" prompt comes up. If you select "trust", to my knowledge there's no way to then revoke that trust. Additionally, there's no "don't ask me again" button, so if you do use your device with an un-trusted computer you have to be careful to never accidentally click the "trust" button every single time you plug it in (e.g. if you want to charge but don't want to sync).

You can revoke all pairing trusts (on ios8, at least) with:

  Settings > General > Reset > Reset Location & Privacy
AFAIK there is no UI for individual pairing management, but I think the full reset is completely safe/non-destructive otherwise -- just re-pair on the machines you do trust, and everything continues as usual without data loss or huge resync, etc.
What about slightly Chinese users? Are they immune to the malware?