iOS Trustjacking: How Attackers Can Hijack Your iPhone – The Mac Security Blog

The security researchers, Adi Sharabani and Roy Iarchy, presented a live demonstration of the attack. Sometime before the presentation, Sharabani had previously connected his iPhone X to Iarchy’s MacBook and tapped “Trust” in a dialog box on the iPhone–something many people do when they connect their iPhone to a computer.

During the presentation, Sharabani used his iPhone X to take a selfie with Iarchy, after which he sent a text message to their company’s CEO.

On the MacBook, Iarchy issued a command to Sharabani’s iPhone to back up its data over Wi-Fi, which is made possible by an iOS feature, called iTunes Wi-Fi Sync. After the synchronization was complete, Iarchy showed that both the selfie and the text message were easily accessible on his MacBook.

This is fascinating stuff. You “trust” a computer when you connect an iOS device; this is a security feature that ensures that when you connect a device to a computer, you have to choose whether it has access to the data on your device. This notably allows you to connect your iPhone or iPad to any computer to charge it without worrying about the computer and iTunes wiping the device. But the downside is that people may see the dialog and think they have to trust a computer to charge, if they do this, which opens up the device to access even via wi-fi.

Source: iOS Trustjacking: How Attackers Can Hijack Your iPhone | The Mac Security Blog