LiberiOS & Electra: iOS 11 jailbreaks… easily detected by Zimperium z9
The mobile security arms race continues, OS update after OS update. With every update, it is a race against time before someone releases a new exploit that can allow users to jailbreak devices… or worse, remote attackers to compromise devices.
While jailbreaking a mobile device can be fine (or even fun) for individuals, it increases risk for the enterprise to which the device connects. As the most trusted provider of enterprise mobile security, Zimperium must detect these exploits for IT and security teams.
What follow is a brief description of each jailbreak, and then videos showing how zIPS detects them.
LiberiOS is a semi-untethered jailbreak tool, initially released back in December 2017. (A semi-untethered jailbreak is similar to an untethered jailbreak. It gives the ability to reboot your iOS device on its own. On each boot, the iOS device reboots into its original, non-jailbroken state. However, instead of needing to use a tool from a computer to re-jailbreak the iOS device again, like a tethered or semi-tethered cases, the user can re-jailbreak their device with the help of an app running on the iOS device.)
LiberiOS utilizes the async_wake tfp0 exploit publicized by security researcher Ian Beer from Google’s Project Zero last year. LiberiOS is considered by many to be the first official jailbreak for iOS 11 – iOS 11.1.2 and iPhone X, iPhone 8 and iPhone 8 Plus. This jailbreak provides only shell access to the jailbroken device with a preinstalled set of command line tools.
Electra is another semi-untethered jailbreak that also makes use of the async_wake exploit. Electra was released by CoolStar (Of interest to some, Electra is provided as open source on Github by CoolStar). This jailbreak goes further and also supports Substrate tweaks – libraries injected into processes to change their behavior – and it is being worked on support for the alternative appstore ‘Cydia’.
How Zimperium Helps Combat LiberiOS and Electra
As the following two videos show, Zimperium zIPS, powered by z9, detects both jailbreaks, and can prevent them from executing via customer-defined policy enforcement.
Zimperium’s on-device, machine learning-based detection has many advantages. Two of those advantages shine brightly for enterprises wanting to avoid the risks that come with jailbreaks like LieberiOS and Electra:
- Full “Kill Chain” Detection: Zimperium’s z9 engine detects both attacks at multiple steps, without any updating or signatures (which is huge for variations or new, similar attacks).
- OS Independence: z9 detection is based on system, not OS, data. So detection works on iOS 11… and 8… and will on 12, 13, etc. (It has come to our attention that a consumer-focused MTD competitor has been stating that our detection does not work on iOS 11. This is just one example that proves the statement inaccurate (at best).)