An Italian firm with the appropriate name Hacking Team suffered a massive breach in its company data Sunday, and 400GB of internal documents so far have been released and are being analyzed by reporters and security researchers. Hacking Team’s customers are government agencies, including both law enforcement and national security, and the ostensibly legal software it sells to help them intercept communications includes not-yet-exploited vulnerabilities, known as zero-days.
Much has been speculated before and after Edward Snowden’s release of a trove of National Security Agency (NSA) documents in 2013 about the capabilities of the United States’ agencies as well as those of allies and enemies. The Hacking Team dump reveals quite a bit more about the routine functions of third-party suppliers into that ecosystem, including specifically enumerated capabilities.
iOS users should therefore take note that the long-running concern that jailbroken iPhones and iPads were susceptible to vulnerabilities that could include access by so-called state actors appears to be confirmed by the data breach.
Two security outfits—the commercial Kaspersky Lab in Russia and academic Citizen Lab in Canada—first revealed in June 2014 that they had discovered and decoded Hacking Team’s smartphone-cracking software. The reports at that time indicated that only jailbroken iOS devices could be hijacked, but that malware could be installed on an iOS device when connected to a computer that was confirmed as trusted, and which had been compromised.
That external analysis has now been complemented by the Hacking Team’s internal documents. One pricelist shows a €50,000 ($56,000) price tag on an iOS snooping module with the note, “Prerequisite: the iOS device must be jailbroken.”
While jailbreaking an iOS device to install software has been a continuously sought-after option, and one that’s constantly revised by different parties as Apple fixes the exploits that allow it, there’s always been a concomitant knowledge that jailbreaking renders an iPhone or iPad vulnerable. Apple is certainly protecting its ecosystem, but researchers agree it’s also protecting system integrity.
Nick DePetrillo, a principal security researcher at Trail of Bits, says, “Jailbreaking your iPhone is running untrusted third-party exploit code on your phone that disables security features of your iPhone in order to give you the ability to customize your phone and add applications that Apple doesn’t approve.”
DePetrillo takes no position on Hacking Team or sideloading apps, but notes that from a security perspective, the latest jailbreaking software is designed to obfuscate how it works, comes from teams based outside the United States, and disables several security features.
Although installing the malware on a jailbroken iOS device would seemingly require physical access, the related exploit of jailbreaking via malware installed on a trusted computer would allow bypassing that limitation.
Researchers have also found so far that Hacking Team has a legitimate Apple enterprise signing certificate, which is used to create software that can be installed by employees of a company who also accept or have installed a profile that allows use of apps signed by the certificate. It was shown last November that an enterprise certificate combined with a jailbroken iOS device could be used to bypass iOS protections on installing apps. Further, Hacking Team had developed a malicious Newsstand app that could capture keystrokes and install its monitoring software.
In a stunning bit of irony, Hacking Team had many of its online accounts at social media and other sites hijacked because of poor password choices, and storing passwords in forms that could be easily readable by whatever party performed the data breach.
What can you do to protect yourself against Hacking Team and similar software? Most people are not in danger of having this software used against them, because Hacking Team’s approach focuses on individual devices rather than mass interception. (Other companies and agencies work on that.) Apple’s iOS security is apparently good enough that only a jailbroken phone or a compromised Mac to which an iOS device is connected are vectors to exploit.
Should you never plug an iPhone or iPad into a Mac and click Trust when prompted? It’s hard to say “never,” unless you’re at risk of reprisal for your political activities in your country. Governments are known to use these sorts of techniques to pinpoint individuals of interest, because widespread use could disclose them, and allow operating system and other software makers to protect against them.
You can imagine that anything disclosed in this breach will be turned into fodder for Apple, Google, and others to fix wherever that’s possible.