hree weeks ago we wrote about the Invisible Profiles issue that we had identified and reported to Apple. We are happy to announce that Apple’s issue of iOS 7.1 last week includes (among other improvements) a patch for this security issue. Once iOS 7.1 is installed, if the user installs a new “invisible malicious profile”, iOS now handles it correctly – meaning that the profile is visible both in the Profiles list, and via MDM querying. However, please note that invisible profiles that were installed on the device prior to the iOS 7.1 upgrade remain invisible to the user.
Following our presentation at RSA USA 14’, we have decided to share some supporting materials about the bug:
The RSA presentation deck
Recorded demonstrations of possible attack flows
The following movie demonstrates the attack flow and impact of invisible malicious profiles.
The following movie shows the impact of utilizing malicious profiles to exploit inherent limitations of the iOS MDM protocol, as previously identified by David Schuetz’s great work around MDM security.
By creating a specially crafted configuration profile (setting the PayloadIdentifier key with an overlong value), an attacker might be able to install (through either physical access or social engineering), configuration profiles that, once installed, are invisible on the victim’s device.
Create a configuration profile with an overlong PayloadIdentifier key value.
Install the profile on a pre 7.1 iOS device.
After installation, go to Settings > Profiles and look for the new profile (you won’t find it).
Verify that the profile was indeed successfully installed by performing a measurable change, such as setting a proxy for a Wi-Fi network, or setting up a VPN on the device.
The configuration that is embedded in the profile is successfully applied to the system.
When the Profiles list is viewed after the installation is complete, the profile’s existence does not show up.
By its nature this bug leads to two main problems:
The victim is probably not aware of – and would have hard time discovering – the existence of invisible profiles already installed on the device.
The victim cannot remove an invisible profile without taking drastic, inconvenient measures such as device reset.
I’d like to thank Apple’s security team for their responsiveness and constant dedication to the security of Apple’s customers.