A security researcher said that Apple’s most popular device iPhone is vulnerable to attacks that allows an attacker to spoof webpages even when the pages are protected by the SSL.
Charlie Miller, a researcher at Independent Security Evaluators, further said that this fault lies in a feature that makes it easy to configure large numbers of iPhones so they can take over an organization’s IT policies, this attack may let you to accept the rogue configuration files.
Miller told The Register:
If the user accepts, the attacker can make changes to the phone’s configuration which can cause harm
The hack could change an iPhone’s proxy settings, this change would allow attackers to do much more negative deeds such as flooding most of the internet traffic to servers under their control.
Miller wrote:
It definitely allows them to change the trusted certs which means that you can’t trust SSL anymore, I don’t have the cert the guy generated to really confirm things on my own. I’m very confident that it can do a lot though.
Cryptopath notes that:
Apple needs to define who should be able to download mobileconfig files onto a device, be it an end-user or a company, and devise a correct way to share keys between the device and its associated provisioning server.
via [Cryptopath]
Subscribe to our RSS Feed!
