Ending her InfoSec World presentation, Diana Kelley talks about securing the iOS, configurable safety restrictions, and draws final conclusions on the topic.
If you’re gonna go ahead and jailbreak, please know about the Secure Shell (SSH)1 tool, and know about the remote access. And if you have to have to jailbreak – change the Root password. I would also say: “Really think about what you are going to do in terms of why you want to jailbreak and why it is so important”. You are not a researcher, you are not in the lab, you are not a developer. Do ask yourself why you need to jailbreak that device. If you’ve got employees that are saying: “But I have got to do it”, make them justify really strongly why they need to jailbreak this device. It’s adding a layer of complexity to your job and you are losing some of the control.Securing the iOS itself, you turn on the Passcode Lock and turn off the Simple Passcode. For the Auto-Lock – you tell it when it’s gonna time-out. And we can do all of this if you got your iOS devices, we can go ahead, I’ve actually got screenshots for all of these. And then the restrictions as well. So applications and functions, you can do this remotely and centrally, but I am gonna show you what that means.
So the Auto-Lock – you have the option to go ahead and change that. Your Password Lock again, you wanna have this. And you wanna turn on some of the restrictions.If you got your Passcode on, this will unlock this screen and then you can say if you want the Passcode on or off (see image). And here, remember we were saying we could have a stronger or less strong Passcode. This is what they mean. Back originally, it was like the PIN, it was like a 4-digit PIN to login, so you didn’t have the option to do a stronger Passcode. You can now do a stronger Passcode but you need to force that. So you set that. And again, this can be done centrally over-the-air too.
Let’s check if we could set, say, a one character password. Okay, let’s go. Alright, Passcode, Simple Password OFF, turn Passcode ON. Alright, just any character, we will use an ‘I’ – done. So strong Password will allow you to have this. That’s good to know. So strong Password, again, is 4 digits, but it apparently lets you circumvent. So we just set the Passcode, we set it to ‘I’, it turns out we did find the way to work around of being very strongly secure.Auto-Lock – the question here is really how quickly it locks when somebody’s got this out in the back. People leave their phones by accident, people get up, they leave them, like at the meeting, right, you just got to run out. So, you know, trying to get it on the least annoying – one minute can be pretty annoying for your users.
Your restrictions here: you can actually say: “You can’t install apps”. So that can be very helpful. You can also set it so you can’t delete apps, so deleting apps is not a possibility. So you have some level of control over what your users can and can’t do in terms of the applications (see image to the left).The Passcode attempts – if you want you can have you data auto erased (see image). The reason I am showing you this based on the screen like this is so that you can see where on the iPod or other iOS device this kind of control exists, but if you are in an enterprise please do not do this on every machine individually. What you want to use is you want to do the centralized management and you push it out to the machines. And this is just to give you an example of the kinds of things you would put into your policy.
And here is another one, this is on the erased data, so when you want and go ahead and say: “After a number of failed logins I want you to erase this”, and this is just an example, I set the restrictions. And again, you can set this from a central point and push it out to your users.
Just some last final thoughts, thinking about what we’re doing with the iOS. I’ve heard the jailbreaking was getting harder. But the last round, in the last couple of weeks, it looks like it’s been a little bit easier to get the jailbreaks out. So it is an arms race. It is moving pretty quickly, but Apple is very intent on not making the phones jailbreakable, and researches and attackers are intent on making them jailbreakable.
So we will see what keeps going on in the iOS and also if they will have better control over the apps in the App Store. One more thing you can think about as you are looking at this in the iOS and I think it is about all mobile, which is do you really need to store that much data on the backend? Sure, let them have their movies and let them have their music. But do you really need to allow your users to download sensitive documents on to their phones? How about just viewing it? They can view it on the server when they are connected to the network. Who is not connected to the network anymore? But they cannot download it.
So think about that. Because that is one way of tethering our data. It is not tethering the phone, tethering our data is a really good way to start to protect that data. I think it is usable. They get it through a VPN, so they’re reading it. Not visible when they close the connection? It is not on their device anymore.
So some of the new research, there is a lot of research that is coming out. At Black Hat DC 2011 some of the more notable stuff was breaking out of the sandbox itself, which was Dionysus Blazakis’ presentation. And then some over-the-air attacks, we are talking about that remote access, and this one was actually against the processor itself of the phone. So some interesting areas of research, especially if we start getting some sort of hardware remote type attacks. So there is active research in the protection. There is active research in the attack side of it as well.Some final take-aways. Really please think about jailbreaking and if you need to jailbreak. It looks fun but what is the end state, what is the purpose of it? Have a good business reason. Make sure anybody in your company who wants to do this justifies to you that they really have a good business reason to do it. And if you’re gonna do it – know what you are doing.
There are exposures, we’ve got carrie exposures, network exposures, they’re gonna be outside of your control. If AT&T or T-mobile has a problem with their network, that’s not necessarily something that you can do yourselves. There are security features in the iOS – turn them on, although we’ve found an interesting workaround to one of them. So don’t not keep this turned on. You may get some push back from your executives, especially with the passwords, but you are doing a lot in terms of protection, because these devices, if they get lost or missing, they are not protected at all. It’s gonna be a lot easier to hack the data out of them. So you wanna do that. And definitely look for something central, whether it is native or something that you are buying, that’s third party.
At the end I have some links for you guys to use. RedSnow comes after Pwnage Tool2, it is the same development team. So if you are interested in the tool I used today it is that. If you want to take a look at Cydia without actually jailbreaking, you can look at Cydia, Cydia is that jailbreaking after the fact app store, so you can go ahead and take a look at it. And if you want to read more about that native Over-The-Air Enrollment and control with the iOS, you also have this link at www.apple.com.
1 – Secure Shell (SSH) is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked devices that it connects via a secure channel over an insecure network: a server and a client.
2 – PwnageTool is an iPhone jailbreaking application for Mac OS X that creates custom iOS firmware images to user-defined specifications.