Windows and iTunes Create an Administrator Vulnerability

Be careful using your hotspot setting. One of our Systems Administrators recently ran across a feature of Windows 10 and iTunes that could make for a frightening scenario.

If you have your iPhone's hotspot turned on and you plug your phone into a USB port on your Windows 10 computer, whether your iTunes is running or not, your default network will change to the Apple connection.

You will just be using your probably metered internet from the iPhone hotspot instead of the unmetered wired Ethernet from your ISP. It's easy to tell if your user profile is set as the local administrator by trying to install any program: if you are not the administrator, you will have to enter an administrator password in order to install the software.

Further testing showed that without iTunes installed you should be safe. However, be careful of your plug-and-play settings - leaving those open can allow this same issue to occur! The Windows 10 operating system thinks the USB device you plugged in is primarily an internet router and may try and use it in that capacity.

If your Windows user is set as local administrator, which is common, you will not even be prompted or notified. While for the home user, increased data charges might occur, the possible outcomes for a business or financial institution could be much more serious. 

It would not be difficult for a malicious entity to create a device that might be innocuously plugged into a computer and suddenly all the security protocols in place on the internal network are avoided. It is a short jump from there to having the entire internal network compromised.

Windows group policy and various software suites can alleviate this vulnerability. But it is always important to be aware of devices that gain access to your machine, especially if you are the administrator for your network.

Below are before and after screenshots of this process showing network and IP settings.

Before iPhone IP Settings

Before iPhone IP Settings


After iPhone IP Settings

After iPhone IP Settings

After iPhone "WhoIs" IP Settings


SecurityWindows 10IT SecurityNetwork SystemssoftwareApple iTunesCompatibilitySystem Administrator