They focused on Apple's use of so-called zero-configuration technologies. These combine the likes of Bluetooth, Airdrop, Bonjour and other wireless systems to quickly pair, and therefore trust, devices on the same network as a user's iPhone or Mac. For instance, this allows a Mac to quickly sync with an iPhone or a printer.
For at least the last year, though, the researchers have known there are not enough authentication processes to prevent a hacker from deploying malicious software that pretends to be one of those legitimate devices and thereby steal data.
In one attack, they were able to use an infected Mac to silently intercept a document sent from an iPhone to a local printer. They simply had to name their malware the same as the printer, which then changed its own name. Bonjour, Apple's software for automatic discovery of network devices, does not carry out proper verification, then trusts the device with the original name. The researchers carried out their attack with a MacBook Pro and were able to abuse the same weaknesses in Bonjour to intercept photos passing between Macs, iPhones and printers.
"Note that the problem is not limited to printer discovery: actually most apps and systems utilize Bonjour do not have protection at all and therefore are equally vulnerable to such a [man-in-the-middle] attack," they wrote in a paper released earlier this year. Indeed, they did the same with the PhotoSync app. Dr XiaoFeng Wang, one of the Indiana researchers, told FORBES the attack continues to work even though they sent warnings to Apple.
At the time of publication Apple had not responded to a request for comment.
In another attack, the researchers went after Handoff, an Apple data sync service that allows users to share activities, such as writing an email, between devices. First, they created a malicious application, which they successfully got onto the Apple App Store. As soon as a Bluetooth connection was made between the iPhone and the Mac, as happens with Handoff, the malware was able to acquire notifications, including
For their numerous attacks to work, there was one underlying weakness in the way Apple carries out verification between devices. Whilst Apple uses the SSL encryption standard to verify machines when zero-configuration connections are made, it has proven difficult to do so effectively, the researchers noted. That's because the certificates designed to guarantee a party's authenticity cannot be properly verified. "The binary content they include (e.g. Apple ID) cannot be easily linked to the identifiable information of the persons in the communication (name, appearance, voice, etc.)," the paper read. An attacker can therefore create a service with the same name as a legitimate one, and rely on the fact that adequate checks on those certificates will not be made.
The video below, first posted in August last year, shows an attack on Airdrop taking advantage of the vulnerabilities:
Authenticate with your voice?
There's no simple fix. Wang told FORBES "zero-configuration systems are very difficult to secure... It's very difficult to reconcile security and usability."
One solution to the crytographic flaws in Apple's designs is to have a user literally speak out their authentication certificate, the researchers proposed The certificate would be converted into a few pronounceable but rare or even fake words, which the user would record. Whenever a new connection was made between Apple devices, the connecting user would listen to the recording and confirm whether or not the party was to be trusted.
But Patrick Wardle, head of research at Synack and creator of Mac anti-malware tool KnockKnock, said he couldn't envision Apple enforcing such a system. "This isn’t so say the researchers solution isn’t feasible - it does appear to fix the issue of providing an authentication mechanism... I’m just not sure how practical it is to Apple."
