Editors note: Will Strafach (@chronic) runs a mobile security services firm helping enterprises protect their employees and confidential data from mobile threats. Fast and thorough analysis of the compiled binaries found within the HackingTeam dump was possible using their upcoming cloud-based iOS application analysis platform, using highly advanced pattern-matching and heuristic techniques to detect threats and privacy leaks within applications installed on enrolled mobile devices. He can be reached at firstname.lastname@example.org if any readers have further questions or concerns regarding HackingTeam or other iOS malware.
Written by: Will “Chronic” Strafach
There has been a lot of mixed information and speculation in the media recently in regards to the HackingTeam leak and what it all means for iOS users. Do the surveillance tools the group has reportedly provided to governments and law enforcement present a risk to the average iPhone and iPad user? That’s a question we’ve been getting a lot, so I will attempt to present all of the facts based on the recently leaked documents detailing the HackingTeam’s tools, as well as my opinion on the impact of certain aspects for iOS devices. Advanced users will already be aware of what I am about to state, but for everyone else, here’s what we’re dealing with:
The Fake Newsstand Item |
There has been a panic over the “fake Newsstand item” app that is within the HackingTeam file dump. The application has a blank icon, and hides itself within the Newsstand folder, to make it as “invisible” as possible. It is designed to grab the following data, and send it to the attacker’s server:
– Contacts (First Names, Last Names, and Phone Numbers)
– Calendar contents
– Photos (and their geolocation data)
– Precise GPS coordinates of the victim
– Keypresses (Utilizing a “custom keyboard”)
Many people are concerned about the fact that this spyware is capable of working on non-jailbroken devices, a realization likely stemming from the fact that a compiled IPA of this app within the dump was signed by an Enterprise Certificate, a type of Apple Developer certificate that does not have a device limit (Applications signed by an Enterprise Certificate can be loaded and run on any iOS device). One thing that many are not pointing out, however: This application does not seem like it is ready for deployment. As it is right now, the only way to get this onto an iOS device is by being able to physically access the device, and doing the following:
1. Get past the lock screen of the device
2. Plug device into a computer
3. Hit “Trust” on the device, when asked whether to allow the host to connect
4. For minimal footprint, use a custom tool such as “ios-deploy” to install the spyware onto the device
5. On device, it must be confirmed that “you” indeed trust the developer “HT, srl” for the app to be able to run
6. It must then also be confirmed that the application has permission to access Contacts, Calendars, Photos, and Location
But even if an adversary who already knew your passphrase was able to swipe your iOS device, load the spyware onto it, and get your device back in place without you noticing, the following indicators would be a red flag for the user:
– Strange new keyboard enabled in the Settings menu
– Faster battery drain due to background operations
This is a moot point in my opinion, as the code is haphazard and does not look finished. It is simply not in a state that would make much sense to allow their “clients” to utilize. Discretion seems to be important to HackingTeam, and the process of installing this spyware along with the persistent issues is anything but discrete.
Jailbreak Prerequisite |
For HackingTeam to support the latest revisions of iOS in their publicly released tools, the device being jailbroken is a prerequisite. This does not mean you are any more or less likely to be targeted by HackingTeam if you are using a jailbroken iOS device, as the use case according to the dump is as follows:
1. Their client must have physical access to the target device (again)
2. Their client must first use a tool such as “evasi0n” or “pangu” to jailbreak the device
3. The jailbreak-tailored spyware “implant” can be loaded onto the device when jailbroken, set up to launch upon every boot
When you jailbreak a device, you are already neutering security features in order to get full access to the device. When you download packages from Cydia, you are trusting those packages 100% to do only what they say they will do, as they will have a lot more power than a sandboxed application downloaded from the App Store. When you download a “tweak” from Cydia, it injects code into applications on your system, and you have to trust it won’t do anything nefarious (Example: The “unfl0d” malware packaged with some pirated applications was utilizing MobileSubstrate to override SSLWrite and sniff out Apple ID passwords). There are plenty of things to be incredibly wary of when you have a jailbroken device, but HackingTeam is not one of them. There are no additional tricks or exploits they use on jailbroken devices to spy on targets, it’s just run-of-the-mill code that any nefarious party could throw together.
There have been theories regarding “silent” jailbreaking of devices via a compromised host, proceeded by injection of the implant. The first thought that comes to mind: If a target’s host computer is compromised, much of the time, there will be more valuable information on that host computer than on their phone. But even if we pretend that isn’t an issue, there simply does not seem to be evidence of a HackingTeam re-implementation of jailbreak exploits, tailored in a way to silently infect a device. As stated above, it seems that their current solution relies on the client/adversary performing a jailbreak using existing public tools on the device, before being able to load on the implant. If HackingTeam had a silent solution, they must have hidden it well, as even the leaked emails seem to indicate that when someone inquired about remote/silent injection of the implant, the HackingTeam representative reiterated that they currently need to jailbreak the device themselves in order to place the implant on the device.
Easy to understand summary |
– The “non-jailbroken” HackingTeam spyware does not seem to be complete, and likely has not actually been deployed.
– The “non-jailbroken” HackingTeam spyware is not difficult to detect if installed on a device, in its current state.
– The “non-jailbroken” HackingTeam spyware requires saying “yes” to a bunch of access permissions dialogs, which no user would do for a random app named “ “.
– The “jailbreak” and the “non-jailbreak” variants of the most up to date HackingTeam iOS spyware appear to require physical device access.
– There does not appear to be a “silent jailbreak” method within any of the latest HackingTeam iOS code.
– The bigger concern for jailbreak users is installing untrusted packages, which could do more nefarious things than the HackingTeam code seems to currently be capable of.
Security tips, for those still worried |
– Never share your device passphrase (use Touch ID in public to avoid shoulder surfing).
– Never let your device out of sight while unlocked.
– If you jailbreak, use public key auth for SSH instead of password.
– If you jailbreak, stay away from AFC2.