When you first plug an iPhone into a computer, you’ll often see a pop-up that says “Trust This Computer?” And while the prompt might seem innocuous, new research suggests that it could have some serious security implications.
Security researchers at Symantec have discovered an entirely new class of iOS attacks that exploit the “Trust” setting, according to Wired. As the publication reported on Wednesday, as soon as a user opts to “trust” a computer, they could be opening their device to a wide range of digital assaults that the researchers are calling “trustjacking.”
“Once this trust is established everything is possible,” Symantec SVP Adi Sharabani told Wired. “It introduces a new vector of attack.”
As the cybersecurity firm points out, these attacks can range from exploits deployed when an iPhone is connected to the same Wi-Fi network as a hacker. But there are remote attacks that can target a device even if they’re separated.
The security firm’s research centers on a little-known feature called iTunes Wi-Fi Sync. True to its name, the feature basically allows iOS devices to sync with a desktop-based iTunes app over a Wi-Fi network. When an iPhone is instructed to “trust” a computer, the two devices can then sync and communicate with each other when they’re on the same network — without any additional user input or approval.
To get their “foot in the door,” attackers could install malicious computer systems in public locations, such as a charging station or a hotel lobby computer. This could trick iOS users into plugging in their iPhones and inadvertently granting trust to those sketchy systems.
When that trust is established, attackers can leverage the Wi-Fi Sync feature to abuse basic syncing or even access developer-level controls to manipulate an iPhone. Hackers could then deploy malware, surreptitiously gather data through a backup or even spy on a user’s screen by remotely taking screenshots.
Sharabani told Wired that he and his team discovered the exploit by accident. Through further investigation, Symantec slowly revealed just how far potential attackers could take the vulnerability.
The problem is made worse by the fact that the “Trust” setting is indefinite — it doesn’t expire once it’s been established. Currently, there’s also no easy way to view a list of computer systems that you’ve “trusted” with your own device.
The Symantec researchers presented their discovery at the RSA security conference in San Francisco this week. The team hopes to raise user and developer awareness and perhaps get Apple to implement some sort of change to the system.
In the meantime, while you can’t view trusted computers on your iOS device, there is an easy way to completely wipe your iPhone’s trust settings. Just go to Settings > General > Reset and tap Reset Location & Privacy. After you do that, just be mindful of which computer system you decide to trust in the future.