Apple iOS Host Pairing Bypass

Product Apple iOS
Severity Low
CVE Reference CVE-2017-13806
Type Logic Bug

Description

It was found to be possible to bypass the host-pairing (allow pairing with non-configurator hosts) restriction applied to a supervised iOS device that is enrolled in the Apple Device Enrolment Program (DEP).

On iOS, device supervision allows an organisation to apply additional device security settings that are not configurable via a traditional MDM configuration profile or via device settings. One such setting is the ability to prevent the iOS device from connecting to hosts, other than the supervising device.

Under normal circumstances, when host-pairing is restricted it is not possible to pair the iOS device with a host other than the supervising device. When attempting to do so, the user is presented with the message “This device is being supervised by another device”.

It was possible to bypass this restriction using the Download Firmware Update (DFU) mode to update to the latest iOS version, where it appears that a host “keypair” is automatically added to pair_records of the iOS device.

Impact

This issue allows an attacker to pair a host machine, other than the supervising host, with an iOS device that has host-pairing restricted. During testing a macOS Sierra 10.12.1 (Macbook) device was used, as well as an iOS 10.1 (iPhone 7) device. The following actions were found to be possible even though the device supervision of the iOS device should prevent them:

  • Perform an encrypted backup of the device.
  • Screen (video) record the device via QuickTime.
  • Import photos from the device.

Due to configuration restrictions applied by a configuration profile installed on the device, the following actions were not possible from a host-paired device, but would be possible if additional security settings had not been applied to the device:

  • Installation of 3rd party configuration profiles.
  • Unencrypted backup of the device.
  • Installation of applications. 

Cause

The root cause of this issue is currently unclear. It is suspected that during the DFU update process, the iOS device creates a pairing record for the connected Mac OS device (pairing records on iOS are stored within /var/root/Library/pair_records), and that this record is not subsequently removed after the DFU update. 

Interim Workaround

Currently, host-pair restrictions should not be relied upon to restrict iOS features. A defence-in-depth approach should be taken with additional security controls applied the iOS device via the device supervision profile. In particular, it is recommended that the following restrictions are applied in order to mitigate this issue:

  • Prevent screen recording.
  • Prevent the installation of configuration profiles.
  • Prevent the installation of untrusted applications.
  • A username & password combination should be required for DEP enrolment.

Solution

Update to the latest stable and secure iOS version (iOS 11 and above). 

https://support.apple.com/en-gb/HT208112

Technical details

Please refer to the attached advisory. 

Disclosure Timeline

Date Summary
02/02/2017 Issue reported to vendor
19/09/2017 Vendor releases patch
14/11/2017 Advisory published