San Francisco -- At the RSA Conference today, security start-up Skycure plans to disclose a vulnerability in Apple iOS devices that can impact mobile-device management (MDM) systems running on them.
According to Skycure co-founders Yair Amit, CTO, and Adi Sharabani, CEO, it’s possible for an attacker to set up a hard to detect “malicious profile” hidden on the device to subvert the user, and this vulnerability has been shared with Apple and is expected to be patched in iOS 7.1. The threat of this “hidden profile” vulnerability extends into its possible impact on mobile-device management (MDM) software used on an unpatched iOS device, according to Skycure.
Through local WiFi access, an attacker exploiting this hidden “malicious profile” vulnerability could change the MDM settings on the user’s device or otherwise tamper with it, says Sharabani. While the hidden-profile flaw should be easily patched, Skycure thinks the MDM part of this may be related to an underlying “flaw in the design of Apple iOS,” he says, which could be “much harder to fix.”
Skycure has seen the “malicious profile” attack in the wild, but it hasn’t seen the specific MDM attack yet, “but we’re concerned it exists out there,” Sharabani concluded.
Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org