Mobility , Risk Management

Jailbreaking iOS Devices: Risks to Users, Enterprises

'KeyRaider' Malware Report Raises Awareness of Managing Apple Devices
Jailbreaking iOS Devices: Risks to Users, Enterprises

Information security experts offer two timely Apple iOS device reminders: First, never, ever jailbreak an iPhone, iPad or iPod Touch. Second, enterprise security managers must ensure that they ruthlessly block any jailbroken devices from accessing corporate networks because they pose a security risk.

See Also: Secure Access in a Hybrid IT World

The perils of jailbreaking have again been demonstrated this week in the wake of Palo Alto Networks' warning in a blog post that more than 225,000 valid Apple account credentials appear to have been compromised by attackers using malware that it calls "KeyRaider" (see How KeyRaider Malware Hacked 225K Apple Accounts).

The malware only affects jailbroken devices, which has led numerous information security experts- to recommend that iOS device owners never jailbreak their devices. Jailbreaking refers to gaining root-level access to an iOS device to run third-party apps that have not been approved by Apple or else to install "cracked" - pirated - versions of paid Apple apps.

"If you have an iOS device, you're much more secure if you do not jailbreak it; then you're not at risk from Keyraider," Ryan Olson, the intelligence director at Palo Alto Networks, tells Information Security Media Group. "Apple keeps the iOS devices well enough locked down, that if you're not removing those protections, it's much less likely that you're going to get infected with malware."

KeyRaider was first spotted in the wild after users began reporting suspicious tweaks to their iOS devices to China-based amateur technical group WeipTech, which traced the attacks back to Chinese sites that distribute a third-party app platform known as Cydia. Cydia - which can only be installed on jailbroken iOS devices - allows users to install pirated iOS apps for free. But some of these pirated apps, which are available via Cydia, are actually copies of the KeyRaider malware in disguise.

Evolving iOS Security Advice

Warnings against jailbreaking Apple devices did not used to be so pronounced. Back in 2009, for example, Wired described six reasons that iPhone 3GS owners might want to jailbreak their phones, ranging from gaining the ability to run Google Voice - Apple banned the single-phone-number service from App Store - and enabling tethering, to allowing users to collectively thumb their nose at various restrictions imposed by Apple or AT&T. But a lot has changed since then.

"For the average user, the reasons for jailbreaking an iPhone have been diminishing with every release of iOS," says Gavin Millard, who's the Europe, Middle East and Africa technical director for Tenable Network Security, which sells vulnerability scanning and management and network monitoring products. "Back with the original version of iPhone, there was a need to jailbreak to have any customization, option to run on a network other than AT&T and ability to run third-party apps. This changed significantly when Apple opened up the platform to third-party developers and signed up new carriers."

But non-jailbroken iOS devices can still be hacked, although experts say that such attacks tend to be relatively difficult. "While this [KeyRaider] attack is against jailbroken phones, we do know that there are a multitude of vulnerabilities in every version of iOS - just as with Android - that can allow these types of attacks on non-jailbroken devices," says Dave Jevans, vice president at security firm Proofpoint. "In fact, with the recent release of iOS 8.4.1, Apple fixed over 40 such vulnerabilities. They have been fixing between 30 and 70 major security vulnerabilities per release for several years, indicating that like any complex operating system, iOS has bugs that attackers will exploit."

Palo Alto's research suggests that whoever is behind the KeyRaider malware appears to have stolen Apple account credentials and then used them to buy software via Apple's App Store. "However, the Apple ID is a proxy for the credit card number associated with the account," says information security and payments technology consultant William Murray. "If used in the Apple Store, transactions might run to thousands of dollars. The risk starts with jailbreaking."

Warning: Block Jailbroken Devices

In addition to recommending that users avoid jailbreaking their devices, security experts also advise enterprise security staff to prevent jailbroken devices from accessing corporate resources.

"iOS is one of the most secure devices you can use due to an inability to run unapproved apps, effective sandboxing and no listening ports available to scan, but jailbreaking changes this," Millard says. "With a jailbroken phone, the ability for an attacker to coerce a user to install malicious code or target their device increases exponentially."

Olson of Palo Alto Networks also recommends that enterprises monitor for whether jailbroken devices are being used on their networks and "try to have the ability to stop them from being able to access corporate materials."

To identify jailbroken devices, Tenable, for example, has released plug-ins for its Passive Vulnerability Scanner product that can detect jailbroken iOS devices, as well as iOS devices that are running Cydia software packages. Many experts recommend using multiple detection techniques whenever possible because some can be bypassed by attackers.

When it comes to iOS device security, Murray cites security expert Robert H. Courtney's observation that "nothing useful can be said about the security of a mechanism except in the context of a specific application and environment." In this case, that environment is Apple's walled garden security model, which is predicated on only allowing approved apps to run on its devices, and which many security experts believe has earned itself a solid security track record, especially when compared with other mobile-device operating systems.

"iDevice security relies upon operating them as closed systems in a benign environment," Murray says. "It certainly works better than the alternatives."

Executive Editor Tracy Kitten contributed to this story.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network