iPhone security has been front and center the past two weeks, with much of the focus falling on jailbroken devices.
Between the ikee worm and the discovery of a tool that allows attackers to steal data from jailbroken phones, some have wondered whether jailbroken iPhones are inherently insecure. But are they? The true answer to this question is a mix between yes and no-but experts agreed they are clearly less secure than standard iPhones.
"It's not necessarily insecure, but it's certainly less secure as it breaks the entire security model [created by Apple]," noted security researcher Charles Miller. "That said, if you have a jailbroken iPhone without a standard password in sshd, I'm not aware of any exploits against it at the moment."
Attempts to jailbreak the iPhone are nothing new, as users have continually found ways around Apple's restrictions in order to install unauthorized applications. Jailbreaking has become a pastime for groups like the iPhone Dev Team, which early this year published a list of tips focused largely on keeping jailbroken iPhones secure at the DEFCON 17 conference in Las Vegas.
In the case of the ikee worm and the hacker tool mentioned above, the issue at hand is jailbroken iPhones running SSH with a default password, something security researchers have warned against for some time. While the worm doesn't have much of an impact beyond changing the user's wallpaper to an image of 1980s pop singer Rick Astley, the tool allows attackers to swipe personal data off the device. Addressing both these threats, however, only requires jailbreakers to change their password.
Forrester Research analyst Andrew Jaquith pointed out users don't need to install OpenSSH when they jailbreak their iPhones. However, from the standpoint of potential risk, there are other things that can affect users as well.
"But even though you don't need to install OpenSSH, a lot of people do-it's listed as one of those 'must-have' apps on several jailbreaking boards. ... Anything that adds a service that listens on a network port adds to the attack surface. I've mentioned OpenSSH, of course. But did you know that the Apache HTTPD Web server has been ported to the iPhone and can be installed on jailbroken phones? That's the kind of thing I'm talking about," he said.
For enterprises concerned about managing the iPhone, jailbreaking could pose an additional hurdle, Jaquith said. For example, if a user has jailbroken his phone, he may be able to modify it to bypass mandatory security policies like the phone-unlock PIN code, he added.
But even if the jailbroken devices are not inherently insecure, many analysts and researchers agree that they are less secure than standard iPhones. Apple designed the iPhone with layered defensive architecture, Miller explained, and jailbreaking the phone busts through all those layers. The point of jailbreaking after all is to install additional software, which by itself increases the attack surface, he said.
"It turns out, at least on older iPhones, that code signing is enforced via memory protections so that turning off code signing turns off features of DEP [data execution prevention] too-there goes [the iPhone's non-executable memory]," Miller said. "Many of the apps, such as sshd, or even the installer Cydia run as root with no sandbox, there goes [least privileges and sandboxing]."
Gartner analyst John Pescatore agreed, adding that jailbreaking can have unintended effects for business users as well.
"Basically, a jailbroken phone means the iPhone is about as secure as a Windows PC without any security add-ons like personal firewall [or anti-virus]," he said. "iPhones are not manageable by enterprises anyway-it is a consumer-grade product, with no actually supported management tools. A jailbroken iPhone is even worse, however. When iPhone software updates come out, pushing them onto a jailbroken phone has unpredictable consequences-and the likelihood of a lot more support calls. Plus, there's much higher likelihood that the user has diddled the user interface and other things that can break ... legitimate business apps that may have been in use."