iOS 6 Update: The Exploit in the Configuration Profile Is Closed
There is something you should know about the iOS 6 Configuration Profile exploit. Even if you prefer to stay on previous versions of this firmware, experts believe you should still update to iOS 6 because this operating system closes exploit in the code responsible for checking certificates. This vulnerability was critical as it could allow potential attackers and hackers get data stored on your gadget and even intercept the information traffic.
iOS 6 Configuration Profiles Exploit
Apple speaks about the “iPhone Configuration Utility” in the special area: Support – iPhone –Enterprise consumers. This is where you can learn about such opportunities as corporate Wi-Fi network settings deployed on new gadgets or setting the password length requirements. These options however can lead to misuse, according to The H’s associates, as hackers can sign on Configuration profiles on any user’s or company’s behalf – including Apple – even though iOS 6 Configuration Profile checks the certificate of a trusted issuer and verifies it.
Customers who have no idea that such configuration profiles even exist can be easily affected by attackers who know about this iOS 6 exploit. Their privacy is not secured well enough.
How Attackers Could Use the Exploit in the iOS 6 Code
We will explain how hackers were able to use the exploit in iOS versions younger than iOS 6. Let’s imagine you get an email with a configuration profile attached that appears as a system update from your carrier and is even “Verified” by Apple. When you open the attachment you unintentionally add a proxy to your network settings which routes all your data traffic from now on. Users who operate this proxy can get all information that you send or receive.
Other exploit we wish to describe is related to SSL crackers. The profile might include the attacker’s CA certificate. It classifies the gadget as trustworthy to the certificate store, but it allows hackers to get access to SSL connections, decrypt and re-encrypt information you transmits. If you go to iTunes to buy a new application after fake profile was installed, the potential attacker can get your account password seen as a plain text version of the encrypted data using this exploit. He can steal your digital identity without you knowing about it. He then can make purchases on your behalf.
iOS 6 Exploit Closed
This vulnerability in the iOS 6 code was discovered in the beginning of 2010, according to reports. What does it mean? Well, several generations of Apple mobile firmware had this exploit in their code. Apple was informed about the issue last fall, and it finally closed the exploit in the iOS 6 Configuration Profile update like will close APTicket and SHSH blobs not allowing to perform downgrade.