Jailbreak versus Compromise…
We see a lot of confusion in the market about precisely what it means to jailbreak a device–and that confusion could lead to serious problems, especially regarding a hacker performing a jailbreak to attack a device.
The security industry is notoriously full of acronyms, buzzwords and generally opaque jargon. Here at Zimperium, we try to keep technospeak to a minimum, although we don’t always succeed.
Typically, the downside of throwing around technical terms is that doing so makes it hard for others to understand what you are saying. That’s bad enough, but sometimes confusion about technical terms can have more serious consequences (like believing a security solution is making your devices safe, when they really aren’t).
The example we focus on here is the term “jailbreak”. Often, people call a jailbreak what happens when a hacker exploits a vulnerability in the device in order to compromise that device, but this is a dangerous misuse of the word. That misuse of the term happens because people do not know precisely what jailbreak means and that there are ways to hack a device that are not a jailbreak.
Definition of jailbreak
So we’ll do two things here. We will start with a definition for jailbreak. Then we will describe how jailbreaking a device differs from a compromise or a hack, and why that matters.
Here is a precise definition of jailbreak: “To jailbreak is to remove restrictions that Apple places on devices that run iOS. You perform a jailbreak by using a custom kernel to gain root access to the device so that you can circumvent Apple’s restrictions.”
You will notice right away that jailbreaking applies only to devices running iOS–not to devices running Android. You can root an Android device, and of course you can compromise and exploit both Android and iOS devices, but (by definition) you can’t jailbreak an Android device.
Now that we have our definition, let’s look at why users (you will see why I am italicizing this term in a minute) jailbreak devices to begin with. Jailbreaking accomplishes several things, such as allowing you to unlock the wireless network, modify system files on the device, and use Bluetooth transfer between the device and any other device that has Bluetooth.
Jailbreaking for third party apps
Most often, though, people jailbreak their devices so that they can add apps to the device from sources other than the Apple store. Any user can jailbreak their device in under five minutes simply by selecting the right settings, clicking yes several times and performing a couple of reboots.
As you may have inferred, Apple builds restrictions into iOS to prevent users from loading third-party apps. The key restriction is the requirement around code signing, which is that an app can only run on a device running iOS if a trusted party signed the app. Apple is the default trusted party.
Apple imposes this restriction for many reasons, including:
- They may be impostor versions of legitimate apps
- They may be otherwise-legitimate apps that have been hacked
- They may contain undocumented code that could put your device at increased risk of being hacked
Jailbreaking is user initiated, not a malicious attack
The important point here is that jailbreaking is typically a user initiated process. It is not a hacker based threat, although it does pose a risk to enterprises. Hackers have little incentive to jailbreak devices. Pick any iOS hack you may have heard of–Pegasus, Stagefright, Trident–and none are jailbreaks. They are individual programs that were developed to leverage exploits (in some cases more than one) to enable elevated privileges–what we call that a compromised device. This attack may leave no binary trace on the device.
Take Pegasus, for example. In Pegasus, the attack leveraged exploit code delivered through the browser that broke out of the sandbox and ultimately allowed persistence on the device. It did nothing that would allow the user to download third-party apps to their device. So it was not a jailbreak.
Pegasus was, however, a compromise. To compromise a device is to enable a program that was not originally part of the operating system to run at the same level of access and privilege as the operating system itself.
Protecting against jailbreaking isn’t enough
A jailbreak is something a user does (not a hacker) that takes several minutes and a reboot or two to make happen, and typically installs several new binaries on a device. To weaponize your device, the attacker has to detonate an exploit that can give him privileges that even you don’t have on your own device. This is not done with a jailbreak. Compromising or exploiting is something hackers do so that they have access through the device to perform their intended malicious activity.
In practical terms, this means that as you assess potential mobile security platforms, a solution that only detects jailbreaking does not stop you from having devices compromised by zero day exploits. A jailbroken device is inherently more risky to the enterprise, because it often leads to untrusted apps being installed, But, from a mobile security standpoint, you actually need to go beyond simple jailbreak detection to proactive protection against compromises and hacks.
Compromises are not jailbreaks, and they are also far more than simple malicious apps. Many hacks are not delivered as a standalone app. Media files in SMS or your web browser, side-loaded apps, or many other means are available to get malicious content on a device instead of an app download. So security solutions must not just identify malicious apps, but also the detonation of the exploit from the malware.
If this discussion has gotten you thinking about mobile security, we should mention that zIPS does indeed detect and protect against device compromise, without explicit signatures. Please feel free to contact us for more details. We’re happy to help!