This part of Diana Kelley’s presentation is introductory to iOS security, analyzing safety of jailbreaking tools and describing known samples of iOS malware and vulnerabilities.
Once you’ve jailbroken your phone, how can you be sure that the apps you download from Cydia do not contain malware? And this is one of the reasons that Apple says: “Don’t jailbreak your phone and use what’s in our store”. They are saying that they are going to vet it for malware. How closely they vet it – we don’t see, but they do some vetting. Who is vetting what’s in Cydia? The public? So you don’t know that you are not getting a piece of malware if you are downloading from Cydia. I am not saying everything in the Apple Store we know for fact is a 100% good but you got a layer, you got a check and the bounds, but you could get trojan-based malware.
You know, RedSnow itself could even be a piece of malware. That’s possible too. Think about it – when you use a hacking tool, and it’s true, you are actually opening yourself up to some potential threat; sure, this could be actually a big botnet tool. And again, I repeat I’m making no indemnification about using any of these tools either, so use them at your own risk, and yes, there could be malware in them.
Let’s now think of the motivation of creating jailbreaking tools. So George Hotz is the guy behind LimeRain, and this guy is also behind jailbreaking the Sony Play Station. Why does he do this? You know, it’s like the old engineering hack, I mean there really is the desire to understand and be able to learn more. And there is some anger. When you install Cydia package it is called a monopoly in a way. Some engineers feel very constrained or controlled by the limitations in the DRM1, with an iTunes Store and App Store. And they wanna use the device but they don’t wanna have to be limited by that.
So that’s some of the motivation, as far as financial aspect is concerned. Is this a going business? No, right now it’s a freeware tool. But could there be other motivations to these gentlemen’s point? Could they really just be trying to make a giant botnet with everybody who is willing to put a jailbreaking tool on their PC or their Mac? That’s possible. But at this point, from what they’ve said and what we’ve seen, these are mostly engineers who really want to get more control of the device itself – you know, for engineering purposes, to be able to investigate and write whatever they want.
You might also wonder whether there is anything residual after you’ve jailbroken it and restored. For the average user, no. I mean, it all goes away. But you are limited now by what you can look at on your machine because you cannot actually be Root on your machine and look at all of the different bits of information. So it looks to you as the user, and the folks that create these tools say: “Yes, it’s gone”. And the experience that is off there, is it possible to keep something on there if you do a full factory reset? It really shouldn’t be because you can really do that full factory reset, Apple is gonna take you right back to what you got when it was shipped. So it really should not be there.
I am going to talk about securing it too. I think it is important to understand how to break this stuff but we need to know how to secure and protect this stuff too.So let me just run through deleting this. If you go ahead and you delete it, what you would see if you are deleting LimeRain is it just gives you a little signal that it’s deleting it. And where you’re going through to delete it – you delete it through the iTunes store (see image). Let me just fire up the iTunes Store. Here is the check for the update, I actually have the latest. And you have the option to go ahead and click Restore. Let’s send my iPod back to where it was. The next thing that would happen is it would actually go and it would talk to Apple. And it would say: “Okay, I’m gonna go to initial point” Not necessarily is it jailbroken, it’s just doing a reset. So it goes out to Apple, it does the reset, and it will actually bring this back either full factory or back to where you were with your photos and your songs.
Let’s talk about some other reasons that people want to do this. There is the SIM, it’s your subscriber identity module, it connects to your carrier. It restricts the devices based on mobile network code, country code. And some people want to be able to use it in a different way, like what if I want to use another carrier? That’s one of the things that people do, you do need to actually break the phone to do that.
I said before, the iOS is device, device, device, it is all the same. A little bit different. The iPad has a new kind of SIM, it’s got the micro SIM. So although it is using the iOS, you’re gonna have a different SIM card in there. And with the SIMs and the type of SIM, it is why people want to do it. I don’t like AT&T, I want to get off.Does it make it less secure? If you are not careful – absolutely, it does. Does anybody know what ‘alpine’ is? It is root password on all of the devices. So you just jailbroke your phone. And we know root is really important to count. So you jailbreak your phone – you make it accessible remotely. And if you don’t change your root password, everybody in the world knows what the password to be in complete control of your phone is. That to me makes it a little bit less secure. You can change your root password. You can actually get a command line interface and go ahead and you can change your root password on your iPod after you’ve jailbroken it. But remember you’re gonna have to do that. So in my mind, I think it is less secure unless you really know what you are doing.
We have seen a worm come out. This isn’t necessarily related to the jailbreaking but there was a worm, a proof of concept.
And I’ve got a quick question – what if I don’t install the SSH2 terminal? Yes, you can still have the same problem, in terms of it being remotely accessible. And also it’s gonna limit what you can do with the jailbroken phone. Again, if you are installing these packages, you really need to know what you do.
Let’s go back to the Ikee worm3, November 2009, sort of the first known one. Like any kind of attack, it started up as proof of concept. Remember the Morris worm? He just wanted to see if he could spread email through the university system. Nobody expected it to be as bad as it was. So this is also a proof of concept. It wasn’t malicious, no damage. It just rickrolled your screen. So there was a singer Rick Astley, it was his song from 80s, infectious and catching and good too. And rickrolling is when you send people over to that. Because to this gentleman’s point, it cannot be psychologically damaging if you have to hear this.
But what did it prove, it proved we ccould do something with it. And about two weeks later, somebody somewhere decided: “Okay, let me pick up on the exploit that was in there”. And they did so it was like it came from ING. And it is not that ING being insecure, this just happens to be what the attackers like. They like names that people trust. I was just at the local branch of my bank, and I felt very, very sad. I heard this gentleman talking to the person at the desk, and all I heard was: “But it had the Bank of America logo. I wouldn’t have clicked otherwise”. Attackers love banks because we tend to trust them. It was a fake login page. And this particular exploit did in fact install command and control, the kind of agent that you need for a botnet.And this one, AT&T wouldn’t want this to come up. But it came out in the headlines a lot as: “iPads are insecure”. And if you really unpack what happened in this AT&T breach, I think that we could more accurately say the application, the web-server the AT&T was using – was insecure, and it did lead to a breach of information which was on the backend. There was a problem with that application, and it did expose username information for iPad owners. And it was email addresses in the ICCID, which is the integrated circuit card identifier, so information about the hardware and information about the user.
But again, in security we’re always claiming the attack letter because the attackers are claiming the attack letter. Maybe linking an email to the ICCID is gonna be something that can be exploited later. And like in another attack like this, where they put stress on: “Yes, but it is only your email address, but that’s basically public”. That’s true, but it was your email address, and there was the fact that you were getting emails from, say, Disney World – you know Disney communicated with you. Now, Epsilon breach means the attackers know that Disney communicates with you. So it could lead to spear phishing.
So this could lead to deeper kinds of attacks, I think absolutely it is quite possible. But it was really more AT&T, it did come out a lot with the iPad, but it wasn’t strictly an iPad problem.
1 – DRM (digital rights management) is a class of access control technologies that are used by hardware manufacturers, publishers, copyright holders and individuals with the intent to limit the use of digital content and devices after sale.
2 – SSH (Secure Shell) is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client (running SSH server and SSH client programs, respectively).
3 – Ikee worm was the first known iPhone worm discovered in November 2009, which would infect jailbroken devices and changed their wallpapers to an image of 1980s pop crooner Rick Astley.