Industrious hackers have developed a new way of compromising the iPhone. The good news: the user is warned in advance and has to take an action that allows the compromise. The bad news: the warning looks legit.

phony iPhone security update

You see, there’s a feature on the iPhone that’s little known to most users that allows nice IT folks to mass-configure a bunch of iPhones at once and roll the new configuration out to users in their company. This is a Good Thing: you don’t have to bring your iPhone to the IT guy to have it updated, and she doesn’t have to touch 300 iPhones individually. Users see a notice like this one, telling them who is making the update and if their identify is verified or not. The user decides, based on what they see and what they know, whether to click the [Install] button or the [Cancel] button.

Unfortunately, black hats have figured out how to fake the identification and its verification, so that a bogus update can come in the guise above. In this example, the notification looks like it’s official, like it’s verified that the update is coming from Apple. In fact it’s a hacker, looking to change the configuration on your phone.  Remember, Apple always provides its updates through iTunes, and never by using these notifications.

How could this be used maliciously? Well, they could use it to route your web browser (like Safari) through their own proxy server, capturing your user IDs and passwords as you log into your bank, your utility company, your corporate intranet, your FaceBook account.  Or they could simply use it to mess with iPhone owners by changing your email or carrier settings or other things, basically making your phone stop working for you. And they can even make it so you can’t remove the configuration file, meaning you have to wipe your iPhone and start over.  CryptoPath described the issue and some of its ramifications in technical detail in January.

What do you do if you get one of these – from Apple, or from some other organization that’s not supposed to be touching your phone?

Repeat after me: Click [Cancel].