Slowing Sidestepper

If you follow us on Twitter and LinkedIn, you already saw a few Tweets about SideStepper and a companion post on LinkedIn. SideStepper is an exploit that a pair of Check Point employees devised. It allows phishers to trick iPhone and iPad users (especially corporate users where IT uses MDM) into installing a bogus configuration profile (a .mobileconfig file) that enables a man-in-the-middle attack. From there, the bad guy can install malicious software and the device is pretty much fully pwned.

We noted on LinkedIn that stripping inbound email attachments can easily help mitigate this attack. How you do this will vary depending on your mail server, but here’s how it went for us (we use Google Apps for Work).

  • Go to the Admin panel.
  • Click on Apps, then on Google Apps, then on Gmail.
  • Click on Advanced Settings.
  • Scroll down to Compliance, then hover over an attachment rule and Add Another.
  • Type a description, check Inbound, and Add an Expression, specifically to block Custom file type .mobileconfig. Click SAVE.
  • Under Attachments, Check Remove attachments from message. Click ADD SETTING.
  • Click SAVE.

Elapsed time: about 1 minute

Even if you aren’t using an MDM, there’s probably no argument against stripping incoming .mobileconfig files at your mail server. A user can’t click on a configuration profile that doesn’t exist.

We also mentioned logging. If you use an MDM, the logs from your MDM should be an input to your centralized logging system (for many Loptr clients, that’s Splunk). If you are logging your MDM to Splunk, you can set up an alert whenever a new app (think, unknown and not previously installed) is installed. You could also monitor for app installs that happen at unusual times or an outlier install/re-install that you didn’t expect; attackers might make their malicious apps look like apps that you manage to hide their activities.

You might also realize that, since the SideStepper attack is a MitM, you may spot a change in traffic in your network logs. That is, the status request from an iOS device to the MDM server may show signs that network traffic is routed through the bad guy’s system instead of directly from the device. Your email server should also generate logs… a great chance for you to see what files are going in and out.

If you have questions about SideStepper, MDM, stripping/blocking email attachments, or Splunking the problem, let us know.