back to article Got an iPhone or iPad? LOOK OUT for MASQUE-D INTRUDERS

Security experts have now probed further into the vuln in non-jailbroken iOS 7 and iOS 8 devices which was exploited by the previously revealed WireLurker USB-hopping malware. Dubbed a “Masque Attack”, the tactic allows hackers to install iOS apps on iPhone or iPad via email or text message. The attack takes advantage of a …

  1. Chika

    I hate to say it...

    The moral of this story is one that most realists will know very well.

    If a computer, regardless of architecture or operating system, is connected to something else, then there is always a possibility that it will be able to download something that disagrees with it.

    Apple systems are just as vulnerable as anything else. If anything, now that it has so much more of a profile in computing circles, it looks as if it is gaining some degree of notice from those that wish nothing but harm to online users in general. Any Apple fanboi that thinks otherwise is merely deluding themselves.

    1. Mike Bell

      Re: I hate to say it...

      I agree with you for the most part. But I'd like to see you cite one of these mythical worry-free fanbois that are mentioned so often on this forum. They don't seem to post here, funnily enough. Fanboi though I am, I've never said that my iPhone is invulnerable. Indeed, if it were, how come it gets security patches with every OS update?

      Having said that, iOS security is still very strong indeed, and the relative lack of malware on the platform is testament to that. Especially given the vast number of iPhones that are out there presenting juicy targets for the bad guys.

      1. Anonymous Coward
        Anonymous Coward

        Re: I hate to say it...

        Especially given the vast number of iPhones that are out there presenting juicy targets for the bad guys.

        It's slightly ironic that this also exposes Microsoft's "we get hacked more because we're popular" argument for the BS it is. Engineer it right, and it becomes a lot harder to break it.

      2. outofit

        Re: I hate to say it...

        I managed to stop myself from calling a Mac user a complete a*se when he said in this august publication that Apple computers cannot be infected. I couldn't bring myself to argue after the Darwin Awards came to mind - I thought it better he went on his own happy way. Wonder if he's been relegated to an Etch-a-Sketch yet?

        1. Anonymous Coward
          Anonymous Coward

          Re: I hate to say it...

          I managed to stop myself from calling a Mac user a complete a*se when he said in this august publication that Apple computers cannot be infected.

          Although I'm a Mac user myself, I'd say you would be completely justified in that opinion. It's less work to keep them safe, but it's most certainly not impossible to infect the platform. IMHO, the biggest problem on OSX are trojans.

          As a matter of fact, I have had that argument with Linux users who claimed the same, but I had the benefit of being a Linux user from the early Slackware days and I recall that being as closed as a red light district on payday. It's gotten a *lot* better over time, but the lesson remained: *any* platform has vulnerabilities and needs care to keep it safe. Some just need more help than others.

          1. Les Matthew

            Re: I hate to say it...

            "the biggest problem on OSX are trojans"

            I thought the users were the biggest problem on any system.

            1. Anonymous Coward
              Anonymous Coward

              Re: I hate to say it...

              I thought the users were the biggest problem on any system.

              That attitude is actually partly the reason why IT is in a mess and perceived to be a problem rather than a supplier of solutions. One of the most informative things I have done in a long career is to turn my viewpoint 180° and start looking at IT from a user's perspective (no, not upside down - different axis : ).

              I'm not telling you to change your life, but try to exercise this viewpoint for a couple of weeks. I'm positive you'll come up with insights that make you even better at your job.

              You can always auto-nuke their network print jobs later if you need to recover from it :)

        2. Mike Flugennock

          Re: I hate to say it...

          Good one, man. It bugs the hell out of me when I hear fellow Mac users brag about how their systems can't be infected. I remind them that one of the very first viruses to gain widespread media attention in the late '80s was a MacOS virus.

    2. Solmyr ibn Wali Barad

      Re: I hate to say it...

      There's also the monoculture angle. Reducing the number of variants in the wild might yield some convenience and efficiency. But introduces the risk of, say, 95% of the population being vulnerable to a nasty disease.

    3. Mike Flugennock

      Re: I hate to say it...

      Just threw you an upvote for that... and I've been a MacOS user since '85, and got a 4S a little over a year ago. I have a grand total of 1 (count 'em, ONE) third-party app, Twitter. I've also been blowing off IOS updates ever since I got the heads-up about the battery-murdering IOS7 update.

      Not to say what these people are doing isn't vile and underhanded, but I long ago learned to be responsible for my own security, and not fall for lame bullshit like "social engineering".

  2. Crazy Operations Guy Silver badge

    Why would they allow installs from text/email?

    Given their walled-garden approach, I figured they would have set things up so that executable code could only be modified by the store app, and only during an install requiring your password. Otherwise the file system the binaries are on stay read-only.

    1. Joe 35

      Re: Why would they allow installs from text/email?

      Given their walled-garden approach, I figured they would have set things up so that executable code could only be modified by the store app, and only during an install requiring your password.


      This is for "side loaded" apps.

      So, you would receive what is likely an unsolicited email.

      In the email is text that says "how would you like to download such and such an app"

      You click on the link.

      You install the app

      You are an idiot.

      1. ratfox Silver badge

        "side loaded" apps?

        I thought it was impossible to side-load apps on iDevices? Wasn't that a key reason they were supposed to be safer?

        1. DaveMcM

          Re: "side loaded" apps?

          From what I've read elsewhere the fake apps are "legitimately" signed using an enterprise signing profile (used by companies to write and distribute apps internally without the app store - whether this profile is genuine or stolen in this case isn't clear) and the user is also asked to install and trust this signing profile as part of the installation process...

          Stupid is as stupid does...

          1. DougS Silver badge

            Re: "side loaded" apps?

            If so, the "install via email/text" is not a bug, but working as designed for enterprise apps? Shouldn't there be a better way to deliver apps, like interfacing via the App Store where other software installs work?

            As I said before on another thread, my big issue here is the act of accepting an enterprise signing key should be a separate step. First I knowingly (or at least as much as possible, for less clueful users against clever social engineering attacks) accept a signing key for a certain company. With a dialog that makes it as clear as possible what is happening. Ideally it would be a two way process, where the company has to first approve me somewhere before I can accept the key (this would help in the case of stolen keys) Only then can I install their apps. It shouldn't be possible to do both at once, which it sounds like is happening here.

            So the real bug is that if you use the same name and UUID for your app as Facebook does, it'll just wipe out Facebook but leave the data? Sounds like there's a missing step somewhere where the apps have to be properly signed or have their signatures verified at install time if they are signed. If the signature doesn't match then it should refuse the update because it isn't signed like a Facebook app should be.

            May not be too easy to come up with a complete fix, but hopefully before long now that word has gotten out. Apparently only about a dozen people were actually compromised before Apple disabled the certificate, so it wasn't a problem, until it is closed it will leave the less clueful vulnerable (I say less clueful because there is some sort of dialog that comes up where you have to approve the software install, and hopefully most people would be rightly suspicious of that happening unexpectedly based on an email or text message instead of the App Store)

            1. Crazy Operations Guy Silver badge

              Re: "side loaded" apps?

              "interfacing via the App Store where other software installs work" that's what I was thinking. Make everything simple by setting up the store with an Apple cert for publicly available apps and then allow enterprises to install their own certificate along side the Apple certificate to verify their deployment server.

              Or better yet, flip the authentication method where the client (phone/pad/pod, whatever) verifies the server's certificate and presents it own once its verified. Done properly, it would allow enterprises to publish their internal apps to the main Apple store and make it only available to a select number of client phones by way of adding whitelists of certificate hashes (with each phone having a different client cert). These apps would then be signed by Apple, rather than the Enterprise. This would create a scenario where the IT department of the company no longer needs to maintain infrastructure while still ensuring that their users get verified apps and staying as secure as they can be.

              This could then be expanded to allow developers to build right to the App store and deploy to only their own phones/devices and ones registered in a white-list. Hell maybe Apple could offer a cloud-based repository/build system; write code, commit, Apple servers build it, do some preliminary tests, sign it, push to store, app gets pulled down by phone if its on the proper whitelist, device sends back debug data to the Apple dev cloud and reports are filed into the code's repository. As the app is polished and tested, the whitelist is expanded to include beta-testers, then finally the targeted audience.

              If you're going for a walled-garden/big-brother approach, you can't take half measures, otherwise stupid crap like this exploit happens.

              (Note: I have only a high-level view of what Apple does, the last Apple device I've ever used was a Powermac all-in-one in the late 90's)

  3. btrower

    Good excuse ...

    ... to jailbreak my phone. I am so late to this party...

    1. Jos

      Re: Good excuse ...

      Not sure if I'm reading this articles correctly into what it implies, but my take on it is that with these latest vulns, they can actually enter non-jailbroken devices, which is supposed to be much harder than jailbroken devices.

      Meaning, it was already done and easy to do on jailbroken phones, but now the non-jailbroken ones are targets too.

      This would mean that jailbreaking yours is not exactly a solution to the problem.

      Happy to stand corrected here though...

  4. Shane Sturrock

    iOS 7.1.3?

    I wonder if Apple will release an update to iOS 7 since my old iPhone 4 can't run iOS 8 or are they just going to say that's it and leave all those phones vulnerable? As another reader said, this is where a jailbreak kicks in nicely but realistically, Apple should at least patch such nasties as this since they were still selling the iPhone 4 just a year ago.

    1. Joe 35

      Re: iOS 7.1.3?

      The only nasty is if you were dumb enough to install an app not on the app store, via a link sent you in an email.

      I dont think a fix exists on any OS to stop such idiocy.

    2. Rootkitten

      Re: iOS 7.1.3?

      They can't fix iOS 8.1, spread too thin to finish iOS 7.


  5. Anonymous Coward

    Malware on my wife's iPhone

    Dear Reg,

    My wife was having all kinds of trouble with her iPhone last week, and she asked me to look at it. I found that it has a massive chunk of malware/spyware on it called "iOS8". It seems to apparently be vacuuming all her personal data, emails, credit cards, thumbprints, etc, into a hideously slow, second-rate music-sharing app called "iTunes".

    Anyone know how to get rid of it? Can I just replace it with CyanogenMod and get her back to using a functional phone? Or do I have to buy her a proper Windows 8 phone?


    Anxious in America

    1. Steve Davies 3 Silver badge

      Re: Malware on my wife's iPhone

      So you can't be bothered to disable it all then?

      Well, you deserve all the pain and grief you are going to get but we know you don't like anyhing Fruity so get over it and buy an real phone like a Dumb Nokia. Then you won't have anything to complain about...

    2. Mike Flugennock

      Re: Malware on my wife's iPhone

      Pardon my asking, but are you British? I thought you guys were supposed to be really great at sarcasm.

  6. Anonymous Coward
    Anonymous Coward


    I don't believe this story.

  7. Anonymous Coward
    Anonymous Coward


    I have worked in IT/ICT education for too many years to mention, and quite a lot of young Iphone users want to get something for nothing, with this problem they will definitely get something.

    1. Jamie Jones Silver badge

      Re: Education

      When will the kids learn to have safe-text?

  8. Anonymous Coward
    Anonymous Coward

    Sounds a bit like trying to invent the gun that can't shoot you in the foot by accident - even if you point it, take off the safety, pull the trigger etc. If you are going to install apps from 3rd party stores / via email / ignore warnings etc. what do you expect.

    The Macbook can be set to only run apps from the official App Store, App Store and Identified Developers or Anywhere. Clearly if you are going to set it to Anywhere and ignore all the warnings there is probably little Apple or anyone can do. I appreciate there may have been some abuse of corporate certificates - but still.

    It's a bit like people who will install any 'download assistant' software to get free music / files - ignoring warnings from their AV software and installing malware - then wailing.

  9. Anonymous Coward
    Anonymous Coward

    This is bad

    ...however the real story here is that a trusted enterprise cert has been compromised and is being used to sign malware. Once it's revoked or expired, the malware will no longer be able to be installed or executed.

    If you think this is bad, it would be possible to enrol iOS devices into MDM using profiles emailed to the user that are signed with this cert - the user would have to agree to them being installed however by tapping through a big warning in red letters, but if they install them it would be possible to do all kinds of nasty things such as installing further CA level certs onto the device, and even redirecting web traffic through a MITM SSL proxy.

  10. Player_16
    Paris Hilton

    RTFM Steve Davies 3

    Or get your own phone.

  11. GeirOElnir

    Copycat Apple

    Android has had this for years and years. And does it better too.

    1. Simon Taylor 1

      Re: Copycat Apple

      BS. It is not possible, from a 3rd party store, or from an email, or from SMS or by side loading, to replace an application of the same name unless it has been signed with the same certificate which is never stored online. There are no known vulnerabilities here.

      It really p*sses me off when Apple lovers bleat about how insecure Android is when in fact is suffers from exactly the same attack vectors as this iOS, except this one of course, most of which are driven by user stupidity/apathy.

      The myths of secure OSX and iOS have been comprehensively debunked in the last 18 months or so. Remember how for almost a year, iOS would accept ANY SSL certificate? That has to be the biggest hole yet found in any mobile platform.

      What people like you seem to miss is that the more you bleat, feeling somehow superior, the more you drive the hatred of Apple. Do you think that in some way people will think "You know what, you're right. I must switch platforms"?

  12. Rootkitten

    Reported similar in April to Apple, but this lets you connect wirelessly and gives full control

    We found a rootkit that infects over wifi and Bluetooth and even infect iPads in airplane mode. Apple first denied it then tried to patch it but it's still working, Dan watch you on your camera and does not turn on the indicator light. Have it on a couple iPads if any security companies want to play with it.

  13. jaffa99


    ......iOS only just works

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019