The WireLurker malware that may have infected hundreds of thousands of Mac OS and iOS devices is exactly similar to a proof-of-concept attack Apple was warned about at the beginning of this year, according to the researcher who first publicly described such attacks.
The malware can siphon off data from iOS devices when they sync up with computers or are charged by computers via USB cables, but the potential for this type of attack can be much broader, says Tielei Wang, a researcher at Georgia Institute of Technology who presented a paper about such attacks at USENIX Security Symposium in August.
+[Also on Network World: iPhones, iPads ripe for the picking; Apple mobile devices in China targeted by WireLurker malware]+
While WireLurker has targeted only Mac OS computers, similar attacks could come through computers running Windows and Linux operating systems, says Wang.
He says he submitted his work to USENIX at the start of 2014 and had already notified Apple about the findings then.
When asked whether Apple took any action based on Wang’s warning, an Apple spokesman responded with this statement: "We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.”
Wang says that despite blocking the identified apps it’s still possible that new and similarly malicious applications could be written and distributed by third parties. It’s also possible that such apps could infiltrate the Apps Store inventory and be downloaded by customers for a period before they are discovered as malicious, he says.
Distributing any apps to iOS devices requires a signature generated by Apple. Alternatively, attackers could use an Apple enterprise developers’ license to generate their own signatures that iOS devices would then accept, Wang says. The developers’ licenses are meant to let businesses write their own iOS apps and then distribute them to their users without having to go through the Apps Store.
In his research paper Wang says botnets could be used as a distribution mechanism for this type of attack. Infected zombie machines would steal data or download malicious apps to iOS devices when they connected via USB cable. In this case bot-herders would distribute the malware to the bots rather than the malware hiding in applications downloaded from apps stores.
What’s needed to stop WireLurker-type attacks is an Apple mechanism that allows computers connected to iOS devices by USB cables to download apps or gather data only if users explicitly allow it, Wang says. At the moment, Apple doesn’t require such approval. “Apple over-trusts PCs,” he says.
Wang says his research was intended to improve the security of Apple’s products. “If it had seriously considered our report it probably could have prevented the attack,” he says. “Sometimes security research is like a game. If you don’t take action based on new knowledge, the other side could learn the new knowledge and be advanced.”
Microsoft grants similar permissions for developers to sign their own Modern Apps, the name for apps designed to run specifically on Windows 8.1 machines. Wang says he hasn’t studied it but thinks these Windows developers’ permissions could be exploited to devise WireLurker-type attacks against Windows 8.1 devices.