How jailbroken iPhones break firm security

How jailbroken iPhones break firm security

Summary: Apple iPhones are increasingly being used as a sanctioned corporate device. Yet a modded iPhone, made through the popular process of jailbreaking, can punch a hole in network security.

SHARE:
TOPICS: Apple, iPhone, Security
1

Apple iPhones are increasingly being used as a sanctioned corporate device. Yet a modded iPhone, made through the popular process of jailbreaking, can punch a hole in network security.

(Credit: Darren Pauli/ZDNet Australia)

Security researcher Kaan Kivilcim, who works for Sydney information security firm Sense of Security, created an attack demonstration to show that an iPhone has the same functionality and is exposed to the same risks as a computer once it is jailbroken, a fact that may be easily overlooked by iPhone users and security administrators.

"The real risk is people do not understand what iPhones are capable of," Kivilcim said. "But [iPhones], Androids and modern Nokias are in a league of their own — they are basically cut-down Unix computers with all the functionality of a laptop computer, but corporations are still considering them as just mobile phones."

Jailbreaking circumvents the security and access controls on the device, giving users access to hidden functionality and allowing them to install unauthorised software.

An attack demonstration by Kivilcim, detailed in the video above, shows that a modded iPhone can create a bridge between the public internet and a "secure" internal network.

Bridged access is created, in this case, by port-forwarding from the external-facing side of an iPhone into an internal network, from which an attacker can publish internal network resources.

However, it requires a user to either deliberately initiate the attack, or be conned into doing so. "The average user doesn't understand the security implications for jailbreaking," Kivilcim said. "Jailbreaking doesn't open a security hole per se, but it increases the risk of one due to a vulnerability or mis-configuration."

A real-life example of such an attack occurs in previous jailbreak versions which enable by default Secure Shell (SSH), the terminal interface that allows remote management of the device and grants access to the core operating system.

That capability exposes the root account on the device to brute-force attacks, which was less of a problem for the pioneer enthusiasts than it is now for inexperienced users. This is because the password on most jailbreaks is set to a default, and typically detailed in online jailbreak documentation.

"The average user won't know anything about that — they are just interested in installing free games and applications," Kivilcim said, adding they would also be ignorant if their password had been compromised.

The latest jailbreaks do not appear to install SSH, but instead contain package managers, like Cydia, that allow users to install SSH optionally. These packages still contain default root passwords but they cannot be accessed remotely without SSH.

But it is quite possible that users may install older, vulnerable jailbreak kits.

Organisations cannot prevent jailbreaking, but they can install remote management systems that enforce group policies and restrict configurations. This software can also determine patches that will out jailbroken phones, and allow them to be restricted from the network.

The same security risks apply to the more open Android devices, but Kivilcim said the proprietary operating system on BlackBerrys are more secure as they have only limited functionality, and the internals of the system are not as well known outside of the manufacturer, Research In Motion.

Topics: Apple, iPhone, Security

Darren Pauli

About Darren Pauli

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • I assume that this would be applicable in tethered or wireless connections to the internal network by the iPhone?

    I would also be interested to know why nc was used instead of SSH loopback?
    cmlh