Feeds

Interview: Jailbroken iPhones a vector rather than a vulnerability

With freedom comes responsibility

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Earlier this week, Sense of Security hit the headlines advising against the careless use of jailbroken iPhones in corporate environments. The Register speaks to the company’s security consultant Kaan Kivilcim, who presented his findings at the ASIA conference in December, about what the company found.

El Reg:In your testing, when did you realize there was a problem?

Kaan: Developers and security consultants have always known that the iPhone is a cut-down Unix computer – a very powerful computer – sitting in the palm of your hand. We understood that Apple had implemented various security mechanisms.

It quickly emerged that if you removed all the security controls, then anything you could do from a modern Unix computer, you could do from an iPhone.

We undertook some research on behalf of our customers into whether the iPhone could be deployed as a corporate device. The security you might think of for your laptops, you might not think of for an iPhone.

For example, because it runs iOS [which is Unix-based - Ed], you can perform a tunneling attack. If the iPhone is legitimately connected to the corporate wireless network – it’s also connected to the Internet through the service provider.

Because it’s jailbroken, SSH can be installed. I can create a tunnel from the external interface to the internal network. So a malicious user, or an internal attacker, could make a bridge from the sensitive internal network to the external network.

This is not necessarily a vulnerability, it’s using the iPhone to its full ability.

El Reg: So that’s the first level of vulnerability. Does it become a deeper problem?

Kaan: You might have security controls on your corporate laptops. On Windows laptops, you can have group policy that prevents users from doing certain things or installing certain applications.

For modern organizations that are just adopting these devices – iPhones, Android phones, modern Nokias, which can also be attack vectors – you might not take into account as an IT administrator that the phone can do the same things as a laptop can do.

So the phone might not have as stringent access controls as laptops. Once jailbroken, it becomes a full mobile computer, out of control of the IT department, connected to the corporate network.

El Reg: Can I then attack the phone itself?

Kaan: When you jailbreak a phone, you’re relying on someone who’s packaged a tool that circumvents the security restrictions on the iPhone. You’re looking to remove controls to give yourself complete control over the device.

For example, jailbreaking overrides some of the file permissions on the device. That might remove the permissions that prevent a malicious application from compromising the phone.

And when you jailbreak the phone, you’re configuring it in a state that the average user might not comprehend. It doesn’t introduce a vulnerability – but it introduces the possibility that a vulnerability might occur.

Older versions of Jailbreaks install SSH. Modern versions tend not to install that – but they still set a default password on the device. So if a user had SSH installed, or another management interface, and they jailbreak the phone, then the default password will be installed.

The average user doesn’t understand the risks that might cause.

El Reg: Never mind the average user. Corporate IT probably hasn’t thought of this yet.

Kaan: That’s right. And the concern is increased, because some service providers give you a public-facing IP address. So if you have SSH and a default password, then it’s possible for the malicious user to scan the IP addresses, and try to login either by brute-forcing the password or testing the default password.

Then you could breach the corporate network via the mobile phone device.

El Reg: What can IT management do about this?

Kaan: The first thing is to control the devices through a mobile management solution. Second, if the mobile device is connected via a wireless interface, then the connection has the fundamental network security in place – access control, logging, encryption, IDS [intrusion detection systems] and IPS [intrusion prevention systems], and so on.

That way, the activities from the wireless device can be managed and monitored. In addition to that, corporate policies need to be updated to address mobile phones and smartphones.

Apple provides profiles that can be deployed onto iPhones, and these enforce settings and configurations on the iPhones, providing the corporate IT with some degree of control. So they can report back patch levels, deploy applications, and whitelist applications – that provides IT departments with a degree of control over the fleet of iPhones.

Another thing a mobile management solution can do is detect if a phone is jailbroken, so that the IT department can be alerted and take some action.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.