Trustjacking: The Latest Permission that Can Leave You Vulnerable

Too often, the apps we use on a daily basis can lead to issues with privacy and security. In many cases, the culprit is none other than the function of the app itself.

The recent news about Facebook losing control of millions of user profiles is a testament to that, but now, a new feature in many Apple devices has led to a complete and permanent vulnerability for users who are affected.

Called “trustjacking,” this vulnerability occurs when you click “yes” to trust a device. In this particular case, iPhones that have been enabled to sync their iTunes accounts over wifi—as opposed to only when the cable is plugged into both the phone and a computer—have given permission to “trust” the connection. Trusting the connection is the mechanism for letting the device and the computer talk to each other… and that’s when hackers with the right know-how can strike.

Security experts Roy Iarchy and Adi Sharabani of Symantec* presented their findings about iOS trustjacking at a recent conference, stating that not only can a hacker access the user’s photos, text messages, and iTunes backup, but can also “use this access to the device to install malicious apps, and even replace existing apps with a modified wrapped version that looks exactly like the original app, but is able to spy on the user while using the app and even leverage private APIs to spy on other activities all the time.”

Fortunately, there was an easy fix to this: the researchers alerted Apple to the possibility that a hacker can take over someone’s device via trustjacking, so now users must enter their passcodes in order to “trust” a new plugin. If the device has not been connected to the computer before, the passcode will be required. This should put a dent in the occurrences of “juice jacking,” too, which happens when someone tampers with a free charging station like the ones at airports or retail shops in order to steal information from the patrons’ phones.

However, there’s one more alarming aspect to this scenario: if your own computer becomes infected with malware, plugging it in to sync your iTunes or iCloud could compromise your device this way. Make sure you’ve got strong anti-virus software installed and kept up-to-date, and run a virus scan from time to time to ensure that your computer isn’t the source of the infection.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.