Symantec Discloses Apple iOS Trustjacking Risks at RSA Conference

At the RSA Conference 2018, Symantec reveals a potential iOS attack vector that Apple has already taken steps to mitigate.

Symantec Trustjacking

SAN FRANCISCO—Apple quietly patched a vulnerability in iOS 11 in 2017 that was discovered by Symantec but was not publicly discussed until April 18.

At the 2018 RSA Conference here, Adi Sharabani, senior vice president of Modern OS Security at Symantec, detailed the vulnerability, dubbed trustjacking, which potentially could have enabled an attacker to take control of an iOS device after connecting to a malicious endpoint.

With the trustjacking flaw, an iOS device is plugged into a desktop system and infected with a form of malware that remains persistent via Apple's iTunes WiFi sync capability.

"We reported this to Apple in mid July 2017, before the release of iOS 11," Sharabani told eWEEK. "Following our report, Apple added a requirement to authenticate by entering a PIN code or equivalent in iOS 11 in order to trust a new computer, mitigating one of the potential attack vectors."

As far as Symantec is aware, the trustjacking issue was never exploited by attackers in the wild, Sharabani said. That said, he added that trustjacking does represent a new kind of attack that could be exploited in the future.

The trustjacking issue on the surface appears to be similar to an issue that that was first publicly disclosed at Black Hat 2013 involving malicious chargers that was dubbed MACTANS. However, Sharabani said the trustjacking issue is somewhat different.

"Trustjacking is different since it allows for continuous access to the device even after the device has been disconnected from the malicious charger or infected device, and without installing any malware on it," Sharabani said. "In the trustjacking flow, we actually leverage the trust created between the device and computer and extend its impact to attackers who are remote."

Infecting one computer allows access to all of the iOS devices that have been previously connected to it and chose to trust it, Sharabani said. That said, he noted that Symantec is not aware of a way to infect other computers or iOS devices without them choosing to trust an infected computer or malicious charger.


Using a mobile device management (MDM) or enterprise mobility management (EMM) policy won't help to protect against trustjacking either, according to Sharabani.

"Disabling iTunes WiFi sync can mitigate it, but we haven't seen a way to do it via EMM/MDM policy," he said.

While Apple has also taken steps to mitigate the issue, there is still some risk, according to Symantec. Sharabani suggests that iOS users clean the trusted computers list from the iOS setting menu to make sure that no unwanted computers are being trusted.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.