Security Researchers Discover iOS ‘Trustjacking’ Vulnerability, Here’s What You Need To Know About It

If you have ever plugged your iPhone or iPad into a friend’s computer to charge it and tapped Yes when presented with the “Trust This Computer” dialog, it’s possible that you have opened yourself up to remote access to your data without your knowledge.

That’s the report coming out of Symantec after its security researchers accidentally spotted the security flaw when charging their own phones.

According to Adi Sharabani, Symantec’s Senior Vice President of modern operating system security and the Team Lead of the modern operating system research team Roy Iarchy, once a user establishes trust with a computer when charging a device, “anything is possible”.

This is as a result of a feature within iTunes which allows devices to be synchronized wirelessly via WiFi, something that could then theoretically allow an attacker to download data and images from a device without the user’s knowledge or express consent, especially if they tapped the trust confirmation without knowledge of what it actually entails.

The Syamntec team apparently spotted the flaw when Iarchy connected his own iPhone to his own computer in order to access it.

Roy was doing research and he connected his own iPhone to his own computer to access it. But accidentally he realized that he was not actually connected to his own phone. He was connected to one of his team members’ phones who had connected their mobile device to Roy’s desktop a few weeks before. So Roy started to dig into what exactly he could do and find out if he were an attacker.

While iOS 11 did add a new security layer which required for a device’s passcode to be entered when a new computer is being trusted, that alone does not add enough security to remove this issue. Users are still likely to enter a passcode in an attempt to get power into their devices without realizing their iPhone or iPad will charge regardless of whether a computer is trusted.

Ideally, Apple would reword the message that pops up when a new trust relationship is requested informing users to only trust their own machines, although it’s unknown whether this is the approach it will take.

Anyone concerned about whether their devices are at risk here should reset their trusted connections by heading to Settings > General > Reset > Reset Location & Privacy to clear everything out.

(Source: Wired)

You may also like to check out:

You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple and the Web.