JailbreakMe Exploits Serious iPhone Security Flaw

[nsane.forums]

JailbreakMe makes the process of jailbreaking the Apple iPhone much simpler and less intimidating. Just visit a Web site on the iPhone, and voila! Jailbroken iPhone. Think about that for a minute, though. The simple act of visiting a Web site is able to fundamentally alter the core functionality of iOS.

Since the dawn of the iPhone, hackers have developed various tools and processes to enable users to circumvent the controls and restrictions put in place by Apple. In the wake of the United States Copyright Office ruling that jailbreaking the iPhone is technically legal--at least from a copyright and DMCA (Digital Millennium Copyright Act) perspective--having a tool that can accomplish it simply by visiting a Web site is awesome for less technically savvy iPhone owners. However, if JailbreakMe is capable of unlocking the iPhone operating system by taking advantage of a flaw in the way the iPhone renders Adobe PDF files, then other applications can also exploit that same flaw for less-benevolent goals. What JailbreakMe illustrates is that the iPhone has a serious security issue that Apple needs to address.

For companies that allow the iPhone to connect with network resources, or that have embraced the iPhone as the business smartphone of choice, both the JailbreakMe tool itself, as well as any other malicious attacks that might circumvent iOS controls using the same method represent a security concern.

IT admins can use a tool like MAD (Mobile Active Defense) for the iPhone to monitor and enforce security policy on iPhones. Winn Schwartau, chairman of M.A.D. Partners, LLC--developers of Mobile Active Defense--explains that, with jailbreaking, "iPhone users can now download apps from anywhere they choose, not just the iTunes store. This signifies a far greater risk to companies who are trying to leverage the unique capabilities of the Apple platform. But, Mobile Active Defense provides a strong, workable and automatic solution that solves the jailbreaking problem on corporate networks."

Companies have compliance mandates such as HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act), and PCI-DSS (Payment Card Industry Data Security Standard) to follow, and the requirements dictate that IT admins must have control over the devices that connect to the network or process company data and communications. A jailbroken iPhone can interfere with the ability to do that.

Schwartau says that the MAD Mobile Enterprise Compliance and Security (MECS) server "can detect jailbreaking within one minute. That's pretty cool. Once this clear violation of security policy is discovered, the MECS managed firewall issues immediate remediation options to the administrator."

Detecting jailbreaking could mean intentional jailbreaking from a user trying to implement the JailbreakMe tool on an iPhone, or unintentional jailbreaking from a malicious attack exploiting similar means to take control of the iPhone. Either way--legal or not--IT admins need tools in place that help to monitor and enforce security policy on the iPhone and prevent users from jailbreaking the device.

View: Original Article