The truth about HackingTeam, jailbreaking and iOS – and how to keep your device safe

jailbreak

Editors note: Will Strafach (@chronic) runs a mobile security services firm helping enterprises protect their employees and confidential data from mobile threats. Fast and thorough analysis of the compiled binaries found within the HackingTeam dump was possible using their upcoming cloud-based iOS application analysis platform, using highly advanced pattern-matching and heuristic techniques to detect threats and privacy leaks within applications installed on enrolled mobile devices. He can be reached at will@wstraf.me if any readers have further questions or concerns regarding HackingTeam or other iOS malware. 

Written by: Will “Chronic” Strafach

There has been a lot of mixed information and speculation in the media recently in regards to the HackingTeam leak and what it all means for iOS users. Do the surveillance tools the group has reportedly provided to governments and law enforcement present a risk to the average iPhone and iPad user? That’s a question we’ve been getting a lot, so I will attempt to present all of the facts based on the recently leaked documents detailing the HackingTeam’s tools, as well as my opinion on the impact of certain aspects for iOS devices. Advanced users will already be aware of what I am about to state, but for everyone else, here’s what we’re dealing with:

Author Ad Placeholder
Will only appear on redesign env.

The Fake Newsstand Item |

There has been a panic over the “fake Newsstand item” app that is within the HackingTeam file dump. The application has a blank icon, and hides itself within the Newsstand folder, to make it as “invisible” as possible. It is designed to grab the following data, and send it to the attacker’s server:

– Contacts (First Names, Last Names, and Phone Numbers)
– Calendar contents
– Photos (and their geolocation data)
– Precise GPS coordinates of the victim
– Keypresses (Utilizing a “custom keyboard”)

Many people are concerned about the fact that this spyware is capable of working on non-jailbroken devices, a realization likely stemming from the fact that a compiled IPA of this app within the dump was signed by an Enterprise Certificate, a type of Apple Developer certificate that does not have a device limit (Applications signed by an Enterprise Certificate can be loaded and run on any iOS device). One thing that many are not pointing out, however: This application does not seem like it is ready for deployment. As it is right now, the only way to get this onto an iOS device is by being able to physically access the device, and doing the following:

1. Get past the lock screen of the device
2. Plug device into a computer
3. Hit “Trust” on the device, when asked whether to allow the host to connect
4. For minimal footprint, use a custom tool such as “ios-deploy” to install the spyware onto the device
5. On device, it must be confirmed that “you” indeed trust the developer “HT, srl” for the app to be able to run
6. It must then also be confirmed that the application has permission to access Contacts, Calendars, Photos, and Location

But even if an adversary who already knew your passphrase was able to swipe your iOS device, load the spyware onto it, and get your device back in place without you noticing, the following indicators would be a red flag for the user:

– Strange new keyboard enabled in the Settings menu
– Faster battery drain due to background operations

This is a moot point in my opinion, as the code is haphazard and does not look finished. It is simply not in a state that would make much sense to allow their “clients” to utilize. Discretion seems to be important to HackingTeam, and the process of installing this spyware along with the persistent issues is anything but discrete.

Jailbreak Prerequisite |

For HackingTeam to support the latest revisions of iOS in their publicly released tools, the device being jailbroken is a prerequisite. This does not mean you are any more or less likely to be targeted by HackingTeam if you are using a jailbroken iOS device, as the use case according to the dump is as follows:

1. Their client must have physical access to the target device (again)
2. Their client must first use a tool such as “evasi0n” or “pangu” to jailbreak the device
3. The jailbreak-tailored spyware “implant” can be loaded onto the device when jailbroken, set up to launch upon every boot

When you jailbreak a device, you are already neutering security features in order to get full access to the device. When you download packages from Cydia, you are trusting those packages 100% to do only what they say they will do, as they will have a lot more power than a sandboxed application downloaded from the App Store. When you download a “tweak” from Cydia, it injects code into applications on your system, and you have to trust it won’t do anything nefarious (Example: The “unfl0d” malware packaged with some pirated applications was utilizing MobileSubstrate to override SSLWrite and sniff out Apple ID passwords). There are plenty of things to be incredibly wary of when you have a jailbroken device, but HackingTeam is not one of them. There are no additional tricks or exploits they use on jailbroken devices to spy on targets, it’s just run-of-the-mill code that any nefarious party could throw together.

There have been theories regarding “silent” jailbreaking of devices via a compromised host, proceeded by injection of the implant. The first thought that comes to mind: If a target’s host computer is compromised, much of the time, there will be more valuable information on that host computer than on their phone. But even if we pretend that isn’t an issue, there simply does not seem to be evidence of a HackingTeam re-implementation of jailbreak exploits, tailored in a way to silently infect a device. As stated above, it seems that their current solution relies on the client/adversary performing a jailbreak using existing public tools on the device, before being able to load on the implant. If HackingTeam had a silent solution, they must have hidden it well, as even the leaked emails seem to indicate that when someone inquired about remote/silent injection of the implant, the HackingTeam representative reiterated that they currently need to jailbreak the device themselves in order to place the implant on the device.

Easy to understand summary |

– The “non-jailbroken” HackingTeam spyware does not seem to be complete, and likely has not actually been deployed.
– The “non-jailbroken” HackingTeam spyware is not difficult to detect if installed on a device, in its current state.
– The “non-jailbroken” HackingTeam spyware requires saying “yes” to a bunch of access permissions dialogs, which no user would do for a random app named “ “.
– The “jailbreak” and the “non-jailbreak” variants of the most up to date HackingTeam iOS spyware appear to require physical device access.
– There does not appear to be a “silent jailbreak” method within any of the latest HackingTeam iOS code.
– The bigger concern for jailbreak users is installing untrusted packages, which could do more nefarious things than the HackingTeam code seems to currently be capable of.

Security tips, for those still worried |

– Never share your device passphrase (use Touch ID in public to avoid shoulder surfing).
– Never let your device out of sight while unlocked.
– If you jailbreak, use public key auth for SSH instead of password.
– If you jailbreak, stay away from AFC2.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. I would also say that if you’re jailbroken you should stay away even from the installation of OpenSSH to remote access your device. Am I right?
    If we don’t have the ability to ssh to our device, there shouldn’t be any problem, isn’t it?

    And obviously if we connect to public WiFi networks we must use a VPN service to securely navigate.

    I have a jailbroken iPhone 5 with iOS 8.4 and it’s working wonderfully even on the battery side (after already 700+ battery cycles), but I must say that I’ve installed iOS 8.4 and all the other things from scratch, without restoring any backups. It’s a little time-consuming but it’s worth it! ;-)

    • Mike Beasley - 8 years ago

      Just change the openssh password after you install it.

    • Will Strafach (@chronic) - 8 years ago

      Some people need OpenSSH, such as developers or advanced users. It is really best to use pub key authentication though. As things stand, as far as I know, there is no way to have a strong SSH password for iOS due to a bug.

      • Adam D (kirb) - 8 years ago

        Disabling password auth completely in sshd_config would be ideal.

  2. Jailbreaking is in general not a wise thing to do.

    • Mike Beasley - 8 years ago

      That’s not accurate at all. I miss my jailbreak while I’m on iOS 9, and can’t wait to get back on it.

      • Only time I had to jaiblbreak my iPhone was the iPhone 3G back in the day when it was carrier locked and I had a different carrier. Nowadays iPhones are not carrier locked which means there’s no reason to jailbreak for me.

      • 89p13 - 8 years ago

        My feeling is that if you Jailbreak – and then get hacked, don’t turn around and scream iOS insecurity. I see it as the woman who sued McDonalds when they served her hot coffee in a cup and she put it between her thighs and drove away – and then she suffered burns when her coffee spilled. Think your choices through and when they don’t turn out like you expected, accept the responsibility for making that decision.

        Personally – I like Apple / iOS because it just works; It works well; it does what they say it will and that’s why I pay the premium for the Apple Hardware / Software.

        YMMV

      • mikhailt - 8 years ago

        He did say “in general’. That means it is actually accurate to say jailbreaking should not be attempted casually if you don’t know what you’re doing. Just because you miss it, does not make it any more wise.

        Even this article said this isn’t a general good idea.

        Fact: Is what Apple doing in term of sandboxing and locking down the system protecting users in general: Yes, it’s not prefect but it is the next best thing they can do.
        Fact: Is jailbreaking removing the protections Apple have for you? Yes, that’s a fact, nothing you can say will change this.

        Therefore, it is not wise to jailbreak the device in general. If you know exactly what you’re doing and you’re doing more than needed to protect yourself on a jailbroken device, then go ahead. But do not say jailbreaking is a wise thing to do.

      • srgmac - 8 years ago

        @ 89p13 — gotta love the McDonalds coffee example — which is totally inaccurate, by the way. Please watch the movie “Hot Coffee” and find out what actually happened before you cite that as an example. The woman suffered THIRD-DEGREE BURNS and was hospitalized for 8 days, and had to be rehabbed for an additional two years afterwords. There is no reason for coffee to be so hot it causes third degree burns…

    • Will Strafach (@chronic) - 8 years ago

      Jailbreaking surely has benefits. You just need to be aware of the potential risks, know exactly what is safe to install, along with what it does. I am not aware of any checks that are currently in place by repositories to detect and deny any package submissions which contain binaries engaging in malicious activities (This is something we are exploring the possibility of being able to help solve with our cloud-based iOS application analysis platform).

  3. Here are the kinds of people who who would have physical access to a device and plenty of time to try and get past passwords/locks and install their own software:

    1. Corporate IT department wanting to spy on its employees/contractors
    2. Government IT department issuing phones to its work force and contractors
    3. Any law enforcement agency detaining an individual and relieving them of their possessions
    4. Residence mates

    • chrisl84 - 8 years ago

      Hospital staff, Gym staff, cell phone seller/repair company….plenty of ways to get your hands on devices if you pick the right career.

    • mikhailt - 8 years ago

      Family members, friends, classmates, and so on.

    • Will Strafach (@chronic) - 8 years ago

      1. Corporate IT departments can already monitor what they need to, using currently available MDM solutions. If the device is a personal device and does not contain work files or connect to work networks, then they likely have no interest in it.
      2. See above.
      3. If you are detained by LE and they take your mobile phone, and force you to give up your passphrase, you should assume that all of your data is compromised at that point. .When you get yoru phone back, you should be doing a full system restore the moment get home.
      4. Flatmates would need the passphrase. Never enter it in front of others, use Touch ID if possible.

  4. 89p13 - 8 years ago

    I’m really glad to see Will broadening his involvement with iPhones and iOS! Way back when I was buying subsidized phones, Will’s site was the first stop to get the unlocking done. It always reminded me of Apple – His site just worked, no bs, no problems, no dancing – When Chronic Unlock said it was unlocked – it was!

    I’m hoping that his track record is going to continue in this new venture and we can continue to exploit our phones while not being exploited by the hackers!

  5. mikhailt - 8 years ago

    Will, thanks for the article, great read and I’d like to see more from you.

Author

Avatar for Jordan Kahn Jordan Kahn

Jordan writes about all things Apple as Senior Editor of 9to5Mac, & contributes to 9to5Google, 9to5Toys, & Electrek.co. He also co-authors 9to5Mac’s Logic Pros series.