A file sharing application may be a quick and handy way to get a file from point A to point B – but it may also be riddled with gaping security holes, according to new research from Trustwave Holdings Inc.’s SpiderLabs.
Researcher Bruno Oliveira tested over 10 file sharing apps, including Easy File Manager, WiFi HD Free, and FTP Drive, to see how easily he could dredge up exploits from them on the iPhone. The answer? Very – and that spells trouble for phone users, who might see their entire phone and its contents become open to attackers.
Nor is it encouraging for businesses with a bring your own device (BYOD) policy. If an employee’s personal device is compromised, that could open up a business’ network to potential attacks.
“You can’t just store a file easily in your iPhone by default. So if your friend asks for a song or a document, and you don’t have any storage device, you are not able to do that using your iPhone’s features,” says Oliveira, senior security consultant at Trustwave. That’s when some users turn to file sharing services, he adds.
Many of these services’ apps are freely available in the Apple App Store, with file sharing enabled through Bluetooth, iTunes, or Web servers, making users feel they are safe. WiFi HD Free has also garnered an average of a three-and-a-half stars rating out of five stars from about 1,700 users in the Apple App Store, at the time of this writing.
However, accessing these files is very easy, Oliveira pointed out. They’re not encrypted, not do they require any authentication before users go to open them. But worse than that, users can access whole file systems on iOS.
“If you go deeper on these applications, they are very badly designed,” he says. “If you are going through the application, you are going through the system – not compromising the application, but all of the iOS device.”
And it’s not very difficult to do, Oliveira adds. In fact, he’d say anyone with any hacking ability – from script kiddies to mid-level hackers – would be able to exploit a vulnerability within a file sharing app.
While he chose to test Apple devices because of their widespread popularity, he says the devices that are most at risk are those running an older iOS – say, iOS6, and that have been jailbroken.
For now, iOS 7 users are a little safer – but Oliveira still wouldn’t advise anyone to use small, unfamiliar file sharing services. While he found Easy File Manager was the worst offender for opening its users up to vulnerabilities, none of the others he tested fared much better, he adds.
He also notes businesses can’t really keep track of all of the devices their employees are bringing into the workplace. However, one thing an organization can do is safeguard its corporate network by segmenting it, or by controlling who can access the network, Oliveira says.
And on the other side, app developers have a responsibility to patch their software before they release it, he adds.