Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over 225,000 Apple Accounts Compromised Via iOS Malware

Posted by Soulskill on from the seems-like-small-potatoes-these-days dept.

An anonymous reader writes: Researchers from Palo Alto Networks and WeipTech have unearthed a scheme that resulted in the largest known Apple account theft caused by malware. All in all, some 225,000 valid Apple accounts have been compromised. The theft is executed via variants of the KeyRaider iOS malware, which targets jailbroken iOS devices. Most of the victims are Chinese — the malware is distributed through third-party Cydia repositories in China — but users in other countries have also been affected (European countries, the U.S., Australia, South Korea, and so on). "The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device," Palo Alto researcher Claud Xiao explained. "KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads."

14 of 217 comments (clear)

  1. Jail broken devices? by Anonymous Coward · · Score: 5, Insightful

    Only jail broken devices were affected. Anyone who jail breaks is aware of the risk they are taking.

    1. Re:Jail broken devices? by geogob · · Score: 4, Insightful

      Anyone who jail breaks is aware of the risk they are taking.

      I think they just heard me laugh all the way to China. Seriously, most people can't even grasp the concept of risk when think of software and operating systems. How in the world do you expect them to understand those risk?

      No. Contrary to some believes, most (as in almost) all jailbrokers have no clue what they do and have no idea of what are the risks involved and how important (or not) they are.

  2. Headline leaves out one very important detail by berj · · Score: 5, Informative

    Headline leaves out the fact that this isn't just any old iOS malware. It affects only *jailbroken* devices.

    That's a pretty important distinction.

    1. Re:Headline leaves out one very important detail by dimeglio · · Score: 5, Insightful

      Pretty much. That's the point of living in a walled garden. You break the wall, who knows what's going to step inside.

      --
      Views expressed do not necessarily reflect those of the author.
    2. Re:Headline leaves out one very important detail by berj · · Score: 4, Insightful

      Your ridiculous post borders on a tautology.

      It's true... if you bypass security measures then you're no longer secure.

      That's hard for you to understand?

      You expect the lock maker to be liable if you leave your door open?

    3. Re:Headline leaves out one very important detail by gstoddart · · Score: 4, Informative

      Oh, really?

      The theft is executed via variants of the KeyRaider iOS malware, which targets jailbroken iOS devices. Most of the victims are Chinese â" the malware is distributed through third-party Cydia repositories in China

      The headline might leave it out, but the summary sure makes it plain.

      --
      Lost at C:>. Found at C.
    4. Re:Headline leaves out one very important detail by Anonymous Coward · · Score: 5, Insightful

      So, if I run OpenBSD, but replace OpenSSH with Bob'sSSH, and there is a security problem with Bob'sSSH, it's OpenBSD's fault?

    5. Re:Headline leaves out one very important detail by Applehu+Akbar · · Score: 5, Funny

      The technical term for jailbroken, insecure versions of iOS is "Android."

    6. Re:Headline leaves out one very important detail by swillden · · Score: 5, Interesting

      I expect to be able to go in and out of my door. That's what doors are for. Apple doesn't even give you a door. You have to break your way through the wall. Then there's a hole there. That's why Apple products are only sufficient for sheep. They don't break down walls, they just wander through holes.

      It's worth pointing out that if you root your Android device you're doing the same thing, breaking through a wall. That's fine if it's what you want to do, but you are giving something up in terms of security.

      As a member of the Android security team, I'm involved in lots of discussions about lots of different threat models and attack vectors, and while we do think about trying to maintain security on rooted devices, I'd say that 90% of the time we end up deciding that we just can't, so "device is running an official image[*] and is not rooted" becomes a foundational assumption of the analysis.

      This isn't because rooting is inherently bad, or because we're trying to control user's devices, but because it's impossible to reason about security in a vacuum. You have to know what you can depend on. For example, we might argue that apps can't break out of their sandbox in a particular way because the information they need to do it is managed by a particular system daemon which validates access in a particular way... but in a rooted device that daemon may be modified, or simply bypassed. We just can't know that stuff is still working the way it's intended to. Some members of the modding community do an outstanding job of adding flexibility without breaking the security model, but many others don't.

      Ideally, devices should provide enough native flexibility to allow users to achieve what they want while staying entirely within the normal mode of operation. In the case of Android that means staying within Google's "walled garden": install apps only from the play store, keep Verify Apps enabled (and follow its recommendations), don't root, definitely don't disable SELinux, etc. Where that ideal fails, and users want to do stuff that can't be done in the garden, they should have the option of stepping out of it, and they should be able to do so in a progressive way, not all-or-none... but each step they take increases the probability that they'll change something that violates a security assumption and thereby increases their risk of compromise.

      I suspect that Apple security engineers even more strongly assume that devices are not jailbroken. That's just a guess, but it's consistent with the general philosophy of iOS and, if correct, it means that jailbreakers have even less expectation of security. iOS users also live in a software monoculture, which exacerbates the risk. (Android users get security benefits from ecosystem diversity, though there are obvious costs to that diversity as well. Including the update problem.)

      [*] Note that given the state of updates in the Android ecosystem, we often don't assume that the device is running an up to date system image. From our perspective that's often easier to work with than a rooted device because at least we know how it behaves and can look at trying to mitigate risks at other layers. We're also working on the update situation, but that's hard given the nature of the ecosystem.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  3. Re:Rotten apple ?!? by Anonymous Coward · · Score: 5, Insightful

    Affect only jail-broken devices. How is the even relevant news?

  4. Re:Rotten apple ?!? by Anonymous Coward · · Score: 5, Insightful

    I'd argue that it's relevant news but I would also say that people who are employing hacks on their devices should realize that the original vendor can't be held accountable for shoddy modifications from a bunch of script kiddies.

  5. Never understand jailbreaking an Apple iOS device by Aqualung812 · · Score: 4, Insightful

    I'm an Apple iOS user, and a former Palm/Windows CE/Blackberry/Windows Phone/Android user.

    I simply don't understand jailbreaking an iPhone. The whole point of me having an iPhone is to take advantage of the walled garden.

    If I want something with better hardware on a lower price that I can customize any way I want, I'd have an Android again.

    Since having a reliable and secure phone is more important to me than features, I have have decided to get an iPhone and not jailbreak it.

    Can those that do jailbreak explain why they don't go to Android?

    --
    Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
  6. Re:Never understand jailbreaking an Apple iOS devi by joh · · Score: 4, Informative

    Of course jailbreaking iOS puts it into some insecure state. Quite literally. Jailbreaking circumvents code signing for all code that runs on the device which means that every bit of code that makes its way onto the phone will happily run now. Also using the repositories means that you will install undocumented binary code from unknown people. Since you don't have the sources there is no way to check what this code does and since whoever wrote that code faces no risk when his code is discovered to be malware there's very little you can do after the fact.

    This is less secure than a device that is not jailbroken.

    I mean, do what you want to do by all means, but at least try to know what you're doing so you can correctly balance the risks and advantages you get by what you're doing.

  7. Re:Rotten apple ?!? by Noah+Haders · · Score: 5, Informative

    You buy an iPhone, you get your just desserts.

    I would say you jailbreak your iphone using software from unidentified hackers, then install software from unknown parties that can access root processes, you get your just deserts.