Skip to main content

WiFi Sync on iOS Vulnerable To TrustJacking

By May 9, 2018June 8th, 2022Cybersecurity

Owners of Apple devices have a new attack vector to worry about, called “TrustJacking.”  Symantec researchers recently stumbled across a pair of scenarios that take advantage of Wi-Fi syncing of various Apple devices. These are scenarios that also take advantage of the trust users have in the security of their own devices, allowing hackers to take complete control over those devices.

The flaw is a consequence of the way that iTunes Wi-Fi Sync is designed.  The vulnerability manifests when a device is connected and the user selects the “sync” feature. This creates an opening which could potentially allow a hacker to take complete control over the device.

The first issue manifests like this:  With the “sync” setting enabled, the device owner has access to both that device and a paired iPhone over a wireless connection, even after the device is disconnected from the syncing service.  That sets up part one.

Part two of the first scenario requires a bit of social engineering, where a hacker tries to trick the device owner to click on a malicious link that will install malware of the hacker’s choosing on the vulnerable system.

The second part of the second scenario targets users who are traveling.  A hacker could take control of a free airport charging station.  In order to make use of those free charging stations, users are required to trust the device.  As soon as that happens, the hacker controlling the charging station can remotely issue a command to connect to iTunes, and then enable the sync command.

Once those two steps are completed, even when the victim disconnects from the charging station, the hacker can still access the compromised device remotely, gaining access to most (if not all) of the user’s private information.

Unlike similar, recently discovered vulnerabilities in Apple products, this one distinguishes itself by allowing the hacker permanent access to the device, making it a dangerous vulnerability indeed.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.