Headlines have been circulating all week about a nefarious hack that has compromised nearly a quarter of a million iPhones. Security researchers discovered an exploit dubbed KeyRaider which has supposedly hacked more than 225,000 iPhone accounts. The news is salacious for iOS—which has a reputation for being innately secure—but it’s also very misleading. The reality is that the vast majority of iOS users have nothing to fear from KeyRaider. Almost all, really.
The crucial element that makes KeyRaider a threat only to a small minority of iPhone users is that the exploit only works on jailbroken iOS devices. In other words, KeyRaider didn’t really hack the victims’ iPhones—the victims hacked their own iPhones first and opened the door to allow a threat like KeyRaider to compromise their accounts.
“This may be a hack against the iPhone, but it really is not a hit on Apple’s reputation since it only affects jailbroken iPhones,” agrees Stephen Coty, chief security evangelist for Alert Logic. “This means if you have unlocked from the Apple only network, and can then buy downloads from other sources other than Apple’s official app store, and use previously locked functions of the phone such as command line interfaces and Wi-Fi scanning capabilities. If you have jailbroken your iPhone, you are turning the phone into a potential portable hacking device that fits in your hand.”
Coty added, “What seems to be cool about the KeyRaider malware is that it not only scrapes your account data, but it also can lock your phone very similarly to ransomware that has been plaguing many individuals across the world.”
Proceed at your own risk
For those who made a conscious decision to violate the EULA, void the warranty and forego the inherent protection Apple provides for iOS by jailbreaking their iPhones or iPads the headlines announcing that they’re at risk should come as no surprise.
“When people jailbreak their iPhones, they usually know they are trading some security for flexibility,” explained David Gibson, VP of strategy & market development at Varonis. “That’s kind of the point – you get root access to the iPhone and the flexibility to install software that hasn’t been approved by Apple, but you also run a greater risk of getting malware on your phone. Balancing security with flexibility and productivity is a tricky thing, and today’s news shows how difficult it is for consumers to maintain that balance on their own.”
Stop the FUD
FUD—fear, uncertainty, and doubt—makes for sensational news and drives people to be concerned about things they don’t need to be concerned about or buy products to protect against threats that aren’t real. Breathless headlines about hundreds of thousands of Apple iPhones or iOS accounts being hacked incite anxiety for millions of iOS users who actually have nothing to fear because they haven’t jailbroken their devices.
Alert Logic’s Coty wrapped up with a reminder: “As I said, it only works on a jailbroken iPhone device. If you only receive your software updates and apps from the official app store, then you have nothing to worry about.”
I have my own take on that advice. My recommendation is that if you think you want an iPhone but plan to jailbreak iOS so you can have more control over the hardware and OS do yourself a favor and just buy a Samsung Galaxy S6. That is the “iPhone for Android fans who don’t like Apple’s ‘walled garden’ and want more power to customize their mobile device experience.”
- Malcom Harkins Talks about Ethical and Legal Obligations of the CISO - October 20, 2022
- Maggie MacAlpine Chats about Collaborative Threat Intel Initiative - October 14, 2022
- Intel Outlines Focus on Innovative Security Technologies - October 8, 2022