Think about the feeling you have when you are away from home and your phone is almost ready to die. You rush around in a panicked search for the nearest charger. When you finally find a compatible charger, you insert the cable and breathe a sigh of relief without a second thought as to what you are using to charge your phone.
If you are an iPhone user, you may have already discovered that Apple has a convenient iTunes/Wi-Fi sync feature that lets users sync their iPhones to a computer wirelessly. This gets enabled when a user plugs their iPhone/iPad into a computer with a USB cable. A popup happens that says “Trust this Computer?”. If they click yes, the sync is allowed to happen. The problem comes from the fact that the text leads the user to believe that this is only while the device is physically connected to the computer. But in reality, if you clicked “trust” that computer can now sync with your iPhone over wifi and there is no indication on the iPhone that this has occurred.
Trust Jacking can be used to attack your iPhone in many different scenarios. For example, if you use those free charging stations at airports and other public places, and approve the pop-up permission you may be at risk.
Now your trusty iPhone can be used maliciously in many different ways:
Remotely install malware apps on your iPhone, as well as download a backup and steal all your photos, SMS/iMessage chat history, and application data.
Replace existing apps with modified versions that look exactly like the original but are able to spy on the user while using the app.
Use your device’s screen in real-time by repeatedly taking remote screenshots.
Mid-Rivers Information Security Manager Philip Grieser shared a few tips for protecting your phone against these types of attacks:
“Apple has introduced another security layer to combat the problem (users are asked to enter the iPhone's passcode when pairing), so if you have an update make sure to do it right away. But the vulnerability still exists because the real problem is there is no mandatory re-authentication between the user’s device and the “trusted” computer after a certain amount of time.
One of the best ways to protect yourself is to make sure that no unwanted computers are being trusted by your iPhone/iPad. Unfortunately, there is no list you can just check. But if you’re not sure if you have any unwanted computers in your trust list, you can always reset it by going to Settings > General > Reset > Reset Location & Privacy.
Going forward, a simple solution would be to just always deny access when asked to trust a computer while charging your Apple device (especially in airports or other places where there are free charging stations). It will still charge and won’t potentially expose you to this vulnerability.”
