Hacking Team hack reveals why you shouldn't jailbreak your iPhone

An Italian firm with the appropriate name Hacking Team suffered a massive breach in its company data Sunday, and 400GB of internal documents so far have been released and are being analyzed by reporters and security researchers. Hacking Team's customers are government agencies, including both law enforcement and national security, and the ostensibly legal software it sells to help them intercept communications includes not-yet-exploited vulnerabilities, known as zero-days.

Much has been speculated before and after Edward Snowden's release of a trove of National Security Agency (NSA) documents in 2013 about the capabilities of the United States' agencies as well as those of allies and enemies. The Hacking Team dump reveals quite a bit more about the routine functions of third-party suppliers into that ecosystems, including specifically enumerated capabilities.

iOS users should therefore take note that the long-running concern that jailbroken iPhones and iPads were susceptible to vulnerabilities that could include access by so-called state actors appears to be confirmed by the data breach.

Two security outfits--the commercial Kaspersky Lab in Russia and academic Citizen Lab in Canada--first revealed in June 2014 that they had discovered and decoded Hacking Team's smartphone-cracking software. The reports at that time indicated that only jailbroken iOS devices could be hijacked, but that malware could be installed on an iOS device when connected to a computer that was confirmed as trusted, and which had been compromised.

That external analysis has now been complemented by the Hacking Team's internal documents. One pricelist shows a €50,000 ($56,000) price tag on an iOS snooping module with the note, "Prerequisite: the iOS device must be jailbroken."

While jailbreaking an iOS device to install software has been a continuously sought-after option, and one that's constantly revised by different parties as Apple fixes the exploits that allow it, there's always been a concomitant knowledge that jailbreaking renders an iPhone or iPad vulnerable. Apple is certainly protecting its ecosystem, but researchers agree it's also protecting system integrity.

Nick DePetrillo, a principal security researcher at Trail of Bits, says, "Jailbreaking your iPhone is running untrusted third-party exploit code on your phone that disables security features of your iPhone in order to give you the ability to customize your phone and add applications that Apple doesn't approve."

DePetrillo takes no position on Hacking Team or sideloading apps, but notes that from a security perspective, the latest jailbreaking software is designed to obfuscate how it works, comes from teams based outside the United States, and disables several security features.

Although installing the malware on a jailbroken iOS device would seemingly require physical access, the related exploit of jailbreaking via malware installed on a trusted computer would allow bypassing that limitation.

Researchers have also found so far that Hacking Team has a legitimate Apple enterprise signing certificate, which is used to create software that can be installed by employees of a company who also accept or have installed a profile that allows use of apps signed by the certificate. It was shown last November that an enterprise certificate combined with a jailbroken iOS device could be used to bypass iOS protections on installing apps. Further, Hacking Team had developed a malicious Newsstand app that could capture keystrokes and install its monitoring software.

In a stunning bit of irony, Hacking Team had many of its online accounts at social media and other sites hijacked because of poor password choices, and storing passwords in forms that could be easily readable by whatever party performed the data breach.

What can you do to protect yourself against Hacking Team and similar software? Most people are not in danger of having this software used against them, because Hacking Team's approach focuses on individual devices rather than mass interception. (Other companies and agencies work on that.) Apple's iOS security is apparently good enough that only a jailbroken phone or a compromised Mac to which an iOS device is connected are vectors to exploit.

Should you never plug an iPhone or iPad into a Mac and click Trust when prompted? It's hard to say "never," unless you're at risk of reprisal for your political activities in your country. Governments are known to use these sorts of techniques to pinpoint individuals of interest, because widespread use could disclose them, and allow operating system and other software makers to protect against them.

You can imagine that anything disclosed in this breach will be turned into fodder for Apple, Google, and others to fix wherever that's possible.

Join the CSO newsletter!

Error: Please check your email address.

Tags Citizen LabNational Security AgencysecuritynsaHacking Teamkaspersky labjailbreaking

More about AppleGoogleKasperskyNational Security AgencyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place