In the last few weeks, we’ve seen a raft of hyperbolic headlines about iOS security. News of a jailbreak for iOS 12.4 was followed by Google Project Zero’s reports of iOS exploits used in the wild.
Today, I’m going to recap these two events, and add some context, based on our coverage of the mobile threat defense space, enterprise mobility, and mobile security in general.
The iOS 12.4 jailbreak
The conventional knowledge on iOS jailbreaking is that these days, most jailbreaks are a couple versions behind the current version of iOS, and that as iPhones have grown more feature rich, the consumer incentive to jailbreak has faded away.
But on August 19, a jailbreak was published for iOS 12.4, marking the first time in years that a jailbreak was available for the current version of iOS. (Read more from Kyle in the Friday Notebook.) Apple patched the vulnerability that enabled the iOS jailbreak a week later.
More widespread hacking
The conventional knowledge on iOS attacks that truly target the device itself—i.e., not local TV weather apps that track your location or SMS messages trying to trick you out of your password—are very highly targeted. We’re used to hearing about exploits for these costing a million dollars, and being used one at a time.
However, on August 29, Google’s Project Zero and Threat Analytics Group published findings about a much broader watering hole attack in the wild. A “small collection” of websites, which were active for over two years and got “thousands of visitors per week” were installing spyware on current, up-to-date iPhones that happened to visit them. The spyware could view just about anything: unencrypted message databases from various apps including iMessage; the device keychain including passwords and certificates; user location; photos; contacts; email in the iOS Mail app and third-party apps; and more. The vulnerabilities were patched in February in iOS 12.1.4.
So, is the sky falling, and is conventional knowledge wrong?
There will always be crazy headlines about any security incident, even tiny vulnerabilities that were never actually used in an attack. It can be hard to sort out which events to actually care about.
In this case, yes, the attack is indeed much broader than others we’ve seen before, and it is bad news. However, we still need to put it in the proper context.
First, it’s still relatively targeted. The sites were visited several thousand times a week over two years, but remember that the global iPhone install base is now over 900 million.
Second, while we need to rethink some aspects of our mobile security model (i.e., how broad these types of attacks can be) this doesn’t invalidate the rest of the model. Modern mobile OSes are still fundamentally very different from 1990s and 2000s-era endpoints. For most organizations compromised accounts and credentials and phishing are still a bigger concern than mobile malware.
Third, like any incident, we need to remember the usual defense in depth and security hygiene principles. We have contextual access and MFA to prevent reuse of stolen credentials; we have containerized mobile apps that can add their own layer of encryption, independent of the device; we can use remote display technologies for when we don’t want data on the device; and there are web-filtering technologies that can work on mobile devices, too. This is also a good reminder that sometimes phones and tablets need to be locked down just like other devices—not all mobile devices need to have personal information on them.
Fourth, for those who may not be familiar, the mobile threat defense (MTD) and EMM industries have products that aim to protect against these attacks. Most EMM agents include some form of jailbreak detection; and MTD products can inspect the device or network traffic to detect threats. EMM can also be used to set patching and OS version policies.
What else is happening in the mobile security industry?
There’s an argument—most notably made by Zuk Avraham, founder of Zimperium and ZecOps—that Apple and others should give MTD agents more visibility into the device. Currently, they’re sandboxed just like any other app. For now, we’ll just have to watch for Apple’s next move.
Earlier this summer at BlackHat, Apple announced a new program to give special, more open devices to security researchers. However, this doesn’t change the capabilities for enterprise devices and MTD agents out in production.
On the macOS side, Apple is quickly phasing out the use of kernel extensions for third-party security agents. Instead, they’ll use the new EndpointSecurity extension. (We went deeper on this when Jamf acquired Digita Security.) So far I haven’t heard any arguments along the lines of “Hey, we used to be able to do things with kernel extensions that we can’t do anymore with the EndpointSecurity extension,” but again, we’re watching the space. Either way, perhaps this is a model that could transfer over to iOS.
Is this big news? Yes. Does it change our entire fundamental model about the nature of modern mobile security? No. What it does is change one of the parameters of our model.
As usual with security news, I saw some less-than-thoughtful, FUD-y coverage, as well as some more nuanced articles.
The Google Project Zero blog post, written by Ian Beer, was thoughtful. He wrote:
“I hope to guide the general discussion around exploitation away from a focus on the the million dollar dissident and towards discussion of the marginal cost for monitoring the n+1'th potential future dissident.”
Is this an event that will prompt more people to thoughtfully consider their mobile security model? I hope so. I think awareness has been growing steadily, especially compared to when we first started covering mobile threat defense several years back. But there’s still a ways to go.