Lacoon released details around the security implications of Pangu, a new attack that uses an Apple enterprise certificate to jailbreak and potentially gain control of iOS devices. Use of enterprise certificates is an emerging attack vector that Lacoon has been exploring for some time, but this is the first time that this practice has actually been used as of a jailbreak.
The jailbreaking tool, named Pangu, for Apple-based mobile devices running iOS 7.1-7.1.x was released yesterday on June 24, 2014. Pangu should concern us – the security community, enterprises, and consumers alike. Pangu represents a major technology leap, ultimately lowering the barrier for attackers to create sophisticated mobile-targeted attacks.
What is jailbreaking? A jailbroken mobile device removes all the iOS built-in security mechanisms, ultimately allowing a user or an attacker to install further apps not under the control and scrutiny of Apple. This means that apps can be installed from any app marketplace – not just from Apple’s proprietary app store. Furthermore, in a jailbroken device, the installed apps are not restricted any longer in their capabilities. As a result, there’s no enforcement over what these apps can do – they can snoop on contact lists, retrieve sensitive emails and docs and even turn on the microphone and camera without the device’s owner knowledge or consent.
Can a user detect that a device is jailbroken? Not necessarily. Typically, a user may visually notice on the jailbroken device a “Cydia” app which leads to the Cydia marketplace – a non-official iOS app marketplace. However, the process of jailbreaking a device does not require the installation of the Cydia app. Enterprises too suffer from a visibility issue, not knowing which of their employees devices are jailbroken. Even BYOD solutions such as Mobile Device Management (MDMs) and secure containers are not always effective as there are frameworks that bypass their jailbreak detection mechanisms. Encryption-enabling apps, or encrypted docs, are also challenged by a jailbroken device as the underlying security mechanism is no longer significant.
Which devices can be jailbroken with the Pangu tool? Any device running iOS 7.1-7.1.x on an:
● iPhone 5S and 5C
● iPad (all versions), iPad Air, iPad mini
● iPhone 4S and 4
How can an attack using Pangu work? Attackers can leverage the tool easily, quickly and efficiently as part of a targeted attack: 1. The attacker connects the device through a USB cable to the attacker’s computer. 2. With just a single mouse click, the attacker runs the app through the PC. Behind the scenes, various vulnerabilities in the iOS operating system are exploited to provide the app with the escalated privileges. The escalated privileges are those required to bypass the iOS security mechanisms. 3. After a few minutes, the attacker receives notification on the targeted device that the device has been jailbroken. 4. With a jailbroken device, the attacker proceeds to install surveillance software which can send out text messages, retrieve sensitive emails, data from banking applications and perform surround recording without the device’s owner knowledge. Screenshot of Pangu jailbreaking tool. The checkbox provides the option of installing a Chinese third-party mobile app marketplace
Can an attacker run Pangu remotely (i.e. not through physically connecting a USB cable to the PC)? Currently, Pangu certainly requires that physical connection between the device and the computer. However, the fact that Pangu is bundled as an app is a first step in enabling attackers to develop a jailbroken tool that works remotely. In these remote scenarios, attackers can lure users to download an app within a phishing email or as a link to a site. A user falling for the scam will install that app without ever knowing that running the app has actually led to the jailbreaking of their device.
Why is Pangu such a leap in capabilities? This tool has the potential of being run remotely as an app. The consequence is that this would be the first time since iOS 4 that a jailbreaking tool runs remotely. Mobile apps have to go through Apple’s AppStore validation process where they receive a certification (a sort of stamped validation) that they can run on an Apple-issued device.
Yet, Pangu was still able to circumvent these measures. How? The way the Pangu developers bypassed Apple’s control was actually to leverage Apple’s restrictions for their own purposes by using an Enterprise Certificate. Enterprise certificates are certificates that Apple provides enterprises with to establish their own in-house marketplace for dedicated apps instead of going through the official marketplace. Since an app is signed with a certificate, it is considered as a stamped validation by Apple, thus can run on the device. The Pangu jailbreaking app uses the certificate associated with “iPhone Distribution: Hefei Bo Fang communication technology co., LTD”.
Looking forward, how will attacks against iOS devices evolve? Using an enterprise certificate to install apps not validated by Apple, or in order to surreptitiously install surveillance software on the device, is not new. In fact, it is a practical attack vector that we have extensively written about in the past. The thing is that this is the first time that this practice is being used as part of a jailbreaking process. As such, we predict that attacks that steal enterprise certificates will inevitably increase. Pangu serves as the beacon of widespread tools that can steal certificates – the “tough” part of an advanced attack. The next step of turning that attack to a remote one requires much less effort from an attacker’s standpoint and is simply a matter of time.
What can users do to minimize the device’s exposure to Pangu? – Ensure apps are installed only from the Apple’s official marketplace – Do not to open suspicious links and apps
Can Lacoon help mitigate the threat to enterprises posed by jailbroken devices accessing the network and work resources? Yes. With Lacoon, enterprises can: – Identify non-Apple validated apps that are installed using certificates , but are not approved by the enterprise – Detect jailbroken devices by analyzing app’s processes and flows For more information, please email: [email protected]
Where can I get more information on iOS-based targeted attacks? 1. We recommend you view our short YouTube video, “Top 5 Cyber Risks on iOS Devices” – https://www.youtube.com/watch?v=LGHeUIb2Kv4 2. For those that prefer the written word, we recommend you check out our Resources section on Lacoon’s site for a variety of research publications – http://www.lacoon.com/resources/