Security researchers from Symantec have disclosed a new iOS vulnerability dubbed ‘Trustjacking’ that allows an attacker to exploit an iTunes Wi-Fi Sync feature and take control of a victim’s device.
The findings were disclosed at the RSA Conference on Wednesday and described on the Symantec blog:
“This vulnerability exploits an iOS feature called iTunes Wi-Fi sync, which allows a user to manage their iOS device without physically connecting it to their computer. A single tap by the iOS device owner when the two are connected to the same network allows an attacker to gain permanent control over the device.”
Some mechanisms were introduced in iOS 11 to mitigate the threat after the vulnerability was disclosed to Apple. For example, users can make sure only the real owner of the iOS device can choose to trust a connected new computer (e.g., by requiring the user to enter a passcode when choosing to authorize and trust a new computer).
However, Symantec noted this only partially mitigates the issue. Symantec further recommends users clean any unwanted computers from the trusted computers list by going to Settings > General > Reset > Reset Location & Privacy. Users should also enable encrypted backups in iTunes and choose a strong password to further protect sensitive information.