Apple devices under
'masque attack' threat:
Cyber agency
Cyber agency
NEW DELHI: Cyber security sleuths have alerted users of 'Apple' iphones and ipads against a lurking "masque attack" on their devices that could compromise gadget safety and steal sensitive private information.
In its latest advisory
to the users, the Computer Emergency Response Team-India (CERT-In) said, a
vulnerability has been reported in Apple iOS which allows any iOS application
that is installed using enterprise or ad-hoc provisioning to replace any legitimate
iOS application installed through the App Store with any other malicious
application.
"This attack is also known as 'Masque Attack' technique against Apple iOS. Successful exploitation of this vulnerability could allow remote attacker to steal sensitive information from the device, monitor user activities, gain root privileges on the device and launch further attacks," the CERT-In advisory said.
"This attack is also known as 'Masque Attack' technique against Apple iOS. Successful exploitation of this vulnerability could allow remote attacker to steal sensitive information from the device, monitor user activities, gain root privileges on the device and launch further attacks," the CERT-In advisory said.
The CERT-In is the
nodal agency to combat hacking, phishing and to strengthen security-related defenses
of the Indian Internet domain.
The iOS is the
backbone of all operations and apps in various Apple gadgets like iphones, tabs
and ipads.
Apple has already
asked users to download applications and other information from trusted sources
only.
This vulnerability,
the agency said, is caused due to iOS not properly enforcing and matching of
certificates for apps (applications) with the same identifier.
"A remote attacker
could exploit this vulnerability by tricking the victim into installing an
application from a source other than the iOS App store or their organisations
provisioning system. Attacker could then utilise this application to replace
other legitimately installed applications, except iOS preinstalled
applications, with any malicious application that uses the bundle identifier of
the legitimate application thus bypassing the App Store review process,"
it said.
The agency called it a
"high" rated threat and said it could affect various versions of the
Apple iOS.
The cyber security
agency has also suggested some counter-measures in this regard.
"Don't install apps from third-party sources other than Apple's official App Store or your own organisation, don't click 'install' on a pop up from a third-party web page, carefully read iOS notification while opening applications and if iOS shows an 'untrusted App Developer' alert click on 'don't trust' and uninstall the application immediately," it recommended.
"Don't install apps from third-party sources other than Apple's official App Store or your own organisation, don't click 'install' on a pop up from a third-party web page, carefully read iOS notification while opening applications and if iOS shows an 'untrusted App Developer' alert click on 'don't trust' and uninstall the application immediately," it recommended.
Read more at: