‘Trustjacking’ is the dangerous new iPhone hack you’ve never heard of

By

iphone
What’s on your wish list for a future iPhone?
Photo: Ste Smith/Cult of Mac

You might want to think twice before plugging your iPhone into a friends laptop for a quick charge.

Security researchers have discovered an all-new type of iOS hack called “trustjacking” that uses one of a little-known WiFi feature to access a device’s data, even when the targeted device isn’t in the same location anymore.

The way the hack works is an iPhone users plugs into the USB port on a friend’s computer. iOS asks if you want to trust the computer and mentions that it will have access to your data. You can then enable iTunes Wi-Fi Sync from the PC giving the devices the ability to communicate anytime they’re on the same network. Hence the name “trustjacking.”

iTunes Wi-Fi Sync is a useful feature when you’re at home and connected to a network you trust. But researchers at Symantec say “everything is possible”, as far as attacks go, if you trust the wrong computer.

The discovery of trustjacking

“We discovered this by mistake actually,” said Symantec’s Adi Sharabani in an interview with Wired.”Roy was doing research and he connected his own iPhone to his own computer to access it. But accidentally he realized that he was not actually connected to his own phone. He was connected to one of his team members’ phones who had connected their mobile device to Roy’s desktop a few weeks before. So Roy started to dig into what exactly he could do and find out if he were an attacker.”

Once your iPhone is synced to a hostile computer, the attacker could install malware on your phone or initiate a backup to pull all your photos, apps and text messages. Hackers could also use the flaw to watch your screen in real-time and take screenshots that sync back to their computer.

The good news is researchers haven’t found any instances of trustjacking attacks out in the wild yet. That doesn’t mean they don’t exist though. Apple tweaked the Wi-Fi Sync feature with iOS 11 so that it asks for the device’s passcode before trusting. Researchers say Apple needs to do more though to let users see what networks they’ve given trust to.

If you’re worried that you may have given a malicious computer access to your iPhone you can scrub all your connections by going to Settings >> General >> Reset >> Reset Location & Privacy.

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.