Hackers can abuse the iOS mobile device management protocol to deliver malware

catesr
Contributor

Any reason to worry about this?

MacWorld

3 REPLIES 3

bentoms
Release Candidate Programs Tester

In short. No.

This has been discussed quite a bit in the Macadmins.org Slack.

But look at this

Also, if devices are supervised.. You can block profile installation.

bpavlov
Honored Contributor
Then the attacker would need to trick the users of those devices to install a malicious configuration profile. This wouldn’t be hard to do either, because most enterprise users are used to installing such profiles. They are typically used to deploy VPN, Wi-Fi, email, calendar and other settings. The malicious configuration profile distributed by the attacker would install a rogue root certificate and would configure a proxy for the device’s Internet connection. This would route the device’s traffic through a server under the attacker’s control and would enable the man-in-the-middle attack.

Security can't address social engineering 100%. If people do things they shouldn't, what can one do? Education is the best thing you can do. Similar to how one would train people to avoid scams other forms of social engineering whether through email, phone calls, in person, etc.

St0rMl0rD
Contributor III

That's why we don't enable our supervised devices to install third party profiles.