back to article How's your Wednesday? Things going well? OK, your iPhone, iPad can be pwned via Wi-Fi sync

The iTunes Wi-Fi sync feature in Apple's iOS can be potentially abused by cops, snoops, and hackers to remotely extract information from, and control, iPhones and iPads. This is according to researchers at Symantec, who discovered that, once an iOS device trusts a physically connected computer, the device can, in certain …

  1. DougS Silver badge

    So you have to hack a computer first?

    Specifically a computer that has been USB synced with an iPhone, and then have that iPhone set to sync over wifi, then maybe have to do extra steps to impersonate its wifi network, and then you can access the phone?

    Sounds like xkcd's $5 hammer would be more effective and something I'd be more worried about, personally (even if I had wifi sync enabled)

  2. JeffyPoooh Silver badge
    Pint

    "It sounds like a bit of a long shot..."

    Perhaps when we see about 50 Security Vulnerabilities in a row that are all 'long shots', then we can just stop worrying about IT security.

    This may be our salvation. Best news I've seen in a while.

    Now, I've got to get back to checking my PC speakers for any unexplained ultrasonic emissions caused by undetected malware that is being used to smuggle my YouTube favorites list out to any nearby government acoustic listening stations that may be under the bed.

  3. WolfFan Silver badge

    Errmm

    In order for this to work, you must

    1 have a computer which was synced to a iDevice at least once in the past

    1a the computer must not have had iTunes cleared in any of several ways, the simplest being to merely delete it and its preference files

    1b the iDevice must not have had its sync settings cleared in any of several ways, the simplest being to go to the Settings and clear it

    2 both the computer and the iDevice must be on the same wireless net

    2a the iDevice must have been set to sync wirelessly

    2b in order to sync wirelessly the iDevice must usually be plugged into power

    2c iTunes must actually bloody work, something which in my experience rarely happens when you bloody want the damn thing to bloody work; I've lost count of the times when iTunes bleats 'the device "important iDevice" cannot be synced because it cannot be found' unless and until I plug the damn iDevice in by USB

    2d the wireless net had better have the correct BSID, the computer had better have the correct network ID, the router had better behave itself

    3 the user had best kneel and say five Hail Steves and a Damnation to Bill. Three Damnations if the computer in use runs Windows. Four if Windows 10. Seriously, if you forced a prisoner of war to use iTunes under Win 10 you'd be up before the War Crimes Tribunal. Hardened Taliban fighters in Gitmo scream like little girls when they see the dreaded iTunes logo booting up.

    4 the sync had better run properly; I've lost count of the number of times that I start to sync an iDevice, iTunes says its syncing, the device says its syncing... two hours later its still syncing. There's a problem. Restart the iDevice. iTunes reports an error, can't find the device 'important iDevice', a check shows that last sync was last night. Try again. This time the sync takes a few minutes. All is well.

    5 the version of iOS and of iTunes had best be compatible. If the version of iOS is too old, iTunes can't find the iDevice. If the version of iTunes is too old, the iDevice refuses to connect.

    1. M man

      Re: Errmm

      1 well yes.

      1b/c ...anyone who lets the PC get pwned wont be doing this.

      2 3 4 5.....irrelivant, youre using dev tools.

  4. Anonymous Coward
    Anonymous Coward

    Chrome Browser

    Google's Chrome browser has lots of built in API's for communicating with devices plugged in to USB as well as Bluetooth.

    Also, while looking through a decompiled Android app I found an unusual developer analytics function made by Facebook which allowed me to view the apps SQLite databases over Chrome while the Android device was plugged in to the computers USB port by using Chrome's "chrome://devices" page.

    (The Android Debugging Bridge had to be enabled on the Android device for me to do this however.)

    Needless to say I no longer charge my phone through my laptop any longer.

    1. stuff and nonesense

      Re: Chrome Browser

      What is Google Chrome?

      1. Scorchio!!
        Happy

        Re: Chrome Browser

        "What is Google Chrome?"

        Nevereardofit!

  5. Andy3

    Can be abused. Not 'can be potentially abused'. It can be abused, simple as that. No need for the 'potentially' at all. Sorry to be pedantic, but I'm seeing this everywhere recently.

  6. Anonymous Coward
    Anonymous Coward

    In simple words, isn't it just...

    A machine that has been given trusted access to an iDevice is allowed to access an iDevice? The downside being that the access may be as a result of a compromise of the trusted system.

  7. Marty McFly
    Big Brother

    Privacy rather than security??

    Seems to me this is more about data privacy rather than security of my iThingy. So if the government is coming after me they could extend their access from my PC to potentially get at secrets I thought were all locked up on my device.

  8. jockbroon

    This exploit actually sounds like it's exposing a lot of useful functionality. I'd love to be able to remotely control/manage/organise an iPhone via WiFi, see live screencasts from it etc. but of course Apple has decided that should not be possible.

    I remember when iTunes used to let you re-orgnanise your iPhone apps from a PC. That was removed in 12.7, for reasons known only to our wise overlords at Apple.

  9. mix
    Coat

    Connecting a phone to a computer

    How quaint.

    1. M man

      Re: Connecting a [computer] to a[n older] computer

      there FtFY

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019