Intro

An iPhone user's worst nightmare is to have someone gain persistent control over his/her device, including the ability to record and control all activity without even needing to be in the same room. In this blog post, we present a new vulnerability called “Trustjacking”, which allows an attacker to do exactly that.

This vulnerability exploits an iOS feature called iTunes Wi-Fi sync, which allows a user to manage their iOS device without physically connecting it to their computer. A single tap by the iOS device owner when the two are connected to the same network allows an attacker to gain permanent control over the device. In addition, we will walk through past related vulnerabilities and show the changes that Apple has made in order to mitigate them, and why these are not enough to prevent similar attacks.

A recap of related past vulnerabilities / attacks

We saw several publications in the past that discuss leveraging unauthorized USB connections in order to get private information from mobile devices.

Prior to iOS 7, connecting an iOS device to a new computer didn’t require any authorization from the device owner. Juice jacking [1] [2] [3] uses this behavior and is able to steal sensitive information from devices and may install malware on the victim’s device. Apple solved this issue by adding the popup requesting the user to authorize new computers before allowing any sync operations.

Another publication discusses Videojacking, which utilizes the ability of Apple’s connector to be used as an HDMI connection and get a screen recording of iOS devices while connected to a malicious charger.

Both exploits allowed an attacker potential access to sensitive information, but their major limitation was that everything is possible only while the device is physically connected to the malicious hardware - disconnecting the device stops the attack flow.

Trustjacking allows an attacker to gain a more continuous and persistent hold of the device and retain the same abilities long after the device has been disconnected from the malicious hardware. To understand how this works, we first need to explain iTunes Wi-Fi sync.

What is iTunes Wi-Fi sync?

iTunes Wi-Fi sync is a very useful feature that allows iOS devices to be synced with iTunes without having to physically connect the iOS device to the computer.

Enabling this feature requires syncing the iOS device with iTunes first by connecting to a computer with a cable, then enabling the option to sync with the iOS device over Wi-Fi.