Re: Implications of Jail breaking ipod/iphones

[Guy Pace <gpace () SBCTC EDU>]

Some time back, we had a jailbroken iPhone play havoc with a campus wireless network. It evidently had an alternative 
OS installed that was compromised or something and caused enough disruption that it affected administrative activities 
on portions of the network.

My main issues with jailbroken iPhones, or any device that has been hacked beyond the manufacturer's firmware and OS is 
that it tends to introduce unstable and unpredictable behavior to the network. The devices are no longer able to get 
security and system updates from the vendor, and untested or suspect applications may be installed and run on them.

It isn't that skilled and knowledgeable geeks can't jailbreak a device and make it stable or secure. It is that the 
average user, following a set of cobbled together instructions or using downloaded tools from questionable sources, 
will likely create a jailbroken device that has a lot of unknown, potentially dangerous issues.

This could then be introduced to your network.

While there are critics of Apple's approach to locking up the iPhone and how it functions, I have to grudgingly give 
them credit for keeping the non-jailbroken device reasonably secure and stable to date.

The iPhone, as opposed to some of the other smartphone devices, is more of a platform and should be treated as such in 
the enterprise. Just as a desktop, laptop or other platform device can be made to work with various operating systems 
and leveraged to be used in good and bad ways, so can the iPhone. It isn't against the law to jailbreak them. As 
mentioned in another post, CSI has a benchmark document for the iPhone and other devices will follow.

Look to your policy and standards. If you require desktop systems to have regular patches and updates, that should be 
required for the iPhone or similar device as well. If encryption or passwords are required, that should apply to the 
iPhone (there are tools available).


Guy L. Pace, CISSP 
Security Administrator
Information Technology Division
WA State Board for Community and Technical Colleges (SBCTC) 
3101 Northup Way, Suite 100 
Bellevue, WA 98004 
425-803-9724 
gpace () sbctc edu 


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell 
Fulton
Sent: Tuesday, July 21, 2009 5:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Implications of Jail breaking ipod/iphones

I have had several people ask me about this and I have tried  googling  
around the area but most the stuff I have found consists of lists of  
dos and don'ts with little or no background info.

The basic question is what are the security implications of jail  
breaking your iphone?

Clearly this allows one to install applications that have not been  
blessed by Apple (with the risks that that entails).  Are their less  
obvious risks such as making it easier for browser bugs to be  
exploited to do damage?

Like most things in security I suspect that there are cases where  
phones should not be tampered with and others where the risk is  
acceptable.

I would also appreciate any good references to the iPhone security  
model.

Russell