iPhone, iPad Configuration Files Security Hole Shown

That warning comes via Israeli mobile security startup Skycure, which Tuesday published a proof-of-concept research on the company's blog, showing how iOS mobileconfig files, which are designed to configure devices to work with a carrier's cellular network,Now you can cost effectively mount a ipad bluetooth keyboard in conjunction with your RAM Tablet mounting solution using this design. could be used instead to remotely control an iPhone or iPad and steal data.All kinds of jordan shoes for girls are on sale now,choose jordan shoes you like best.

Skycure CEO Adi Sharabani, a former security and research manager at Web application security firm Watchfire -- bought by IBM in 2007 -- was scheduled to present the company's findings Tuesday at the 13th annual Herzliya Conference in Israel. The conference is billed as the country's "primary global policy annual gathering … to address pressing national, regional and world strategic issues."

Just what is a mobileconfig file? The XML files are produced using the iPhone Configuration Utility (iPCU), and are designed to allow carriers to easily configure their subscribers' phones. "These MobileConfiguration files can contain device security policies and restrictions, VPN configuration information, Wi-Fi settings, email and calendar accounts, and authentication credentials that permit iPhone, iPod Touch, and iPad to work with certain enterprise systems," said a post to the developer question-and-answer site Stack Overflow. Such files also can be distributed via websites or email.

But mobileconfig files also could be generated and used by attackers to configure devices to their liking. "A malicious profile could be used to remote control mobile devices, monitor and manipulate user activity and hijack user sessions," said the Skycure blog, which was posted by CTO Yair Amit, who noted that such profiles can be used to install new root certificates on a targeted device. "This makes it possible to seamlessly intercept and decrypt SSL/TLS secure connections, on which most applications rely to transfer sensitive data," he said. "A few concrete impact examples include: stealing one's Facebook, LinkedIn, mail and even bank identities and acting on his/her behalf in these [accounts], potentially creating havoc."

To be clear,2013 pinarello dogma XC 9.9. Pinarello brings innovation to the 29er market with the release of the Dogma XC 9.9 mountain bike frame. any such iOS attacks are only theoretical. But according to Amit, the use of malicious mobileconfig files is akin to finding a way to target iOS devices with malware,Manufacturer of outdoor footwear,outdoor footwear,hiking shoes,training shoes,safety shoes,work shoes,sandals,hiking footwear,safety footwear,work ... without having to worry about installing an executable on the device, which thanks to Apple's walled garden model has proven to be almost impossible.

One innovative -- and non-malicious -- use of mobileconfig files is offered by the iPhone APN Changer website, which allows iPhone users to change the carrier settings on their phones "so you can use unofficial carrier SIMs with your device."

Interestingly,Vente cadre route carbone, vente vélo et accessoires, annonces gratuites. the Skycure researchers said they found that at several AT&T stores, including one in Manhattan, AT&T employees directed people who want to use the carrier's pay-as-you-go service for their iPhone to download and install a configuration file from the third-party APN Changer website. "In one of the stores, an AT&T salesperson actually took our phone and performed the aforementioned process via a public Wi-Fi network,If you want to avoid a trip to the hospital, and you like to play in the water, I highly recommend getting a Water shoe. which is an easy target for man-in-the-middle attacks," said Amit. That's because the APN Changer site transmits all of its mobileconfig files in plain text over HTTP, without using HTTPS, which means that the communications could be intercepted and spoofed by an enterprising attacker.

In other words, although mobileconfig files offer useful functionality for carriers who want to configure their subscribers' phones, with a bit of social engineering trickery, attackers -- or espionage artists -- could use the files to easily alter phone settings and keep tabs on a targeted iPhone. As a result, users should beware installing any mobileconfig files unless obtained from a trusted source, and preferably only when downloaded from a site via HTTPS.