At the ITAPA conference, ethical hacker Milan Kyselica and moderator Mário Minarovský showed that even the latest iPhone can be fooled — not by clever malware, but by our inattention. All it takes is a single configuration profile downloaded from a suspicious site, and an attacker gains visibility into the phone’s communications. The story is a reminder that in cybersecurity, as in healthcare, prevention is key.
How a profile-based attack works
The user receives a link, for example in an SMS, opens the page, and clicks a button that prompts the download of a “configuration profile.” On the iPhone, you install it via Settings – General – VPN & Device Management; the profile may be signed and appear trustworthy. In reality, it changes the DNS settings and adds a certificate that gives the attacker control over the network layer.
Sometimes a second profile is installed that adds an icon to the Home Screen resembling the App Store icon, but it’s only a shortcut to a website. After these steps, the attacker is already intercepting domain queries and can redirect visits to websites. The demonstration was carried out on an iPhone 15 Pro with iOS 17 — that is, on a fully up-to-date device.
Why you’ll barely notice it
After installing the profile, nothing seems to happen at first glance: no notification in the status bar, apps work, and pages load. Behind the scenes, however, all DNS requests flow through the attacker’s server, and the added certificate allows the attacker to peer into parts of otherwise encrypted traffic. The user thus has no indication that their network is being monitored.
The only quick check leads back to Settings, where you need to look in VPN & Device Management at the list of profiles and certificates. In older versions of iOS, it was even possible to create profiles that did not appear in this list at all; they could be uncovered only after connecting the phone to a computer and listing them via the command line. That’s why it’s important to know that “invisible” does not mean “nonexistent.”
Prevention is the best medicine: what to do
Install profiles only when you know exactly who they’re from and what they’re for. If the detail mentions changing DNS or installing a “trusted certificate,” think twice before proceeding. Prefer to reject any unsigned or unknown profile, and remove all suspicious items in VPN & Device Management.
Click links in SMS and e‑mails cautiously, especially on public Wi‑Fi networks. Keeping your system up to date is important, but it isn’t enough on its own; an attacker can also craft targeted phishing based on your behavior. If you suspect a compromise, restart the device, check the profiles, and if necessary consult professionals. Above all, the rule is: less clicking, more thinking.
