sec14-paper-wang-tielei

On the Feasibility of Large-Scale Infections of iOS DevicesTielei Wang, Yeongjin Jang, Yizheng Chen, Simon Chung, Billy Lau, and Wenke LeeSchool of Computer Science, College of Computing, Georgia Institute of Technology{tielei.wang, yeongjin.jang, yizheng.chen, pchung, billy, wenke}@cc.gatech.eduAbstractWhile Apple iOS has gained increasing attention fromattackers due to its rising popularity, very few large scaleinfections of iOS devices have been discovered becauseof iOS’ advanced security architecture. In this paper,we show that infecting a large number of iOS devicesthrough botnets is feasible. By exploiting design flawsand weaknesses in the iTunes syncing process, the deviceprovisioning process, and in file storage, we demonstratethat a compromised computer can be instructed toinstall Apple-signed malicious apps on a connected iOSdevice, replace existing apps with attacker-signed maliciousapps, and steal private data (e.g., Facebook andGmail app cookies) from an iOS device. By analyzingDNS queries generated from more than half a millionanonymized IP addresses in known botnets, we measurethat on average, 23% of bot IP addresses demonstrateiOS device existence and Windows iTunes purchases,implying that 23% of bots will eventually have connectionswith iOS devices, thus making a large scale infectionfeasible.1 IntroductionAs one of the most popular mobile platforms, AppleiOS has been successful in preventing the distribution ofmalicious apps [23, 32]. Although botnets on Androidand jailbroken iOS devices have been discovered in thewild [40, 42, 43, 45, 54], large-scale infections of nonjailbrokeniOS devices are considered extremely difficultfor many reasons.First, Apple has powerful revocation capabilities, includingremoving any app from the App Store, remotelydisabling apps installed on iOS devices, and revoking anydeveloper certificate. This makes the removal of maliciousapps relatively straightforward once Apple noticesthem.Second, the mandatory code signing mechanism iniOS ensures that only apps signed by Apple or certifiedby Apple can be installed and run on iOS devices. Thissignificantly reduces the number of distribution channelsof iOS apps, forcing attackers to have their apps signedby a trusted authority.Third, the Digital Rights Management (DRM) technologyin iOS prevents users from sharing apps amongarbitrary iOS devices, which has a side effect of limitingthe distribution of malicious apps published on theApp Store. Although recent studies show that maliciousapps can easily bypass Apple’s app vetting process andappear in the Apple App Store [26, 36, 51], lacking theability to self-propagate, these malicious apps can onlyaffect a limited number of iOS users who accidentally(e.g., by chance or when tricked by social-engineeringtactics) download and run them. Specifically, to run anapp signed by Apple, an iOS device has to be authenticatedby the Apple ID that purchased the app. For example,suppose we use an Apple ID A to download a copy ofa malicious app from the App Store and later we installthis copy on an iOS device that is bound to Apple ID B .This copy cannot run on the iOS device that is boundto Apple ID B because of the failure of DRM validation.On iOS 6.0 or later, when launching this app, iOS willpop up a window (Figure 1) to ask the user to re-inputan Apple ID and a password. If the user cannot input thecorrect Apple ID (i.e., Apple ID A ) and the correspondingpassword, iOS refuses to run the app.In this paper, we show that despite these advanced securitytechniques employed by iOS, infecting a largenumber of non-jailbroken iOS devices through botnetsis feasible. Even though iOS devices are designedfor mobile use, they often need to be connected to personalcomputers via USB or Wi-Fi for many reasons,such as backup, restore, syncing, upgrade, and charging.We find that the USB and Wi-Fi communication channelsbetween iOS devices and computers are not wellprotected. Consequently, a compromised computer (i.e.,a bot) can be easily instructed to install malicious appsonto its connected iOS devices and gain access to users’1USENIX Association 23rd USENIX Security Symposium 79