You are here:HomeNews CenterInsurance News2014ALERT! Cyber threat to Apple iOS Devices

ALERT! Cyber threat to Apple iOS Devices

The U.S. Department of Homeland Security on November 13 issued an ALERT on a cyber-threat to Apple iOS devices...
November 19, 2014

The U.S. Department of Homeland Security (DHS) on November 13 issued an ALERT on a cyber-threat to Apple iOS devices.

Why this is important to PIA Agencies: This is a concern because many agency staff are doing business or are in some way connected to their agency operations through the use of cell phones and pads – 50% of which are Apple. NOTE: The Apple APP Store posts applications that have been reviewed by Apple, and pose less exposure that when an Apple Device user downloads APPs from the general Internet.

Apple iOS Devices are:

Systems Affected – iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta.

Overview – A technique labeled "Masque Attack" allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances.

Description – Masque Attack was discovered and described by FireEye mobile security researchers. This attack works by luring users to install an app from a source other than the iOS App Store or their organizations' provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link.

This technique takes advantage of a security weakness that allows an untrusted app—with the same "bundle identifier" as that of a legitimate app—to replace the legitimate app on an affected device, while keeping all of the user's data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple's own iOS platform apps, such as Mobile Safari, are not vulnerable.

Further details on Masque Attack and mitigation guidance can be found on FireEye's blog. US-CERT does not endorse or support any particular product or vendor.

ALERT (TA14-317A)
Original release date: November 13, 2014
U.S. Deptartment of Homeland Security
United States Computer Emergency Readiness Team

Filed under: ,