“My buddy Aamir Lakhani is developing a iOS security class and recently posted about hacking iOS devices. This is a very popular subject and want to share this. Also shout out to Tom Bedwell for his assistance with the research. You can find the original posting at www.cloudcentrics.com”
iOS devices can be booted with their own kernel and micro operating systems instead of approved Apple firmware. When iOS devices are loaded with a micro kernel, you can run attacks such as bypassing the passcode, decrypting passwords, copying file systems, viewing emails and much more. The following guide describes how to create a RAM DISK, however it may not function precisely as a step-by-step instruction set, since each system is unique and requires some level of customization.
Note: If you run in to trouble when creating a RAM DISK due to unique OS configurations and code versions, don’t despair.
Everybody hates losing things. It drives you mad looking in the same places thinking a magic gnome will put your item back. Usually that doesn’t happen. Especially when it’s a highly desired product such as a mobile device. Mobile devices are becoming a leading target for theft since they can carry as much sensitive data as a standard laptop. Hackers can steal your photos, instant messages and web history. Some mobile app leverage cookies that never expire meaning hackers could essentially access sensitive websites such as your bank account through replaying old sessions.
How are these types of hacks executed? For iOS products, a hacker could take your device, spend 10 minutes jailbreaking it so they can install a remote Trojan / Administration app before returning it. This would permit the hacker unlimited continuous access into your life. Another option is dumping the records on their computer to go through later and selling the hardware on ebay. Either way, you have been PWN3D and possible put your employer as well as family at risk of future attacks.
These are just some of the methods used if your device is stolen. See this post regarding an attack calling your phone and remotely hacking your voicemail HERE
There are things you can do to defend against mobile device theft outside not misplacing your phone. Most manufactures offer password protection as well as limiting information exposed pre-login (IE not displaying text messages or other alerts until the phone is unlocked). Enable password features and stay away from easy passwords such as a row of numbers (1234) or the same number (4444). Some devices offer more complex password options than PINs which is great if available. Shorten the sleep/auto lock timer so the window your device is unlocked is limited in the event its stolen. When you are not using your device, press the lock button. Many mobile device screens absorb fingerprints after use, which make it easy for hackers to guess your password. Consider a protection screen that includes fingerprint resistants. Some devices offer location and remote wiping services that can be used to locate and secure lost or stolen devices. Also make sure to notify your employer if a device containing cooperate email or other sensitive services is stolen.
Employers should take securing mobile devices accessing cooperate data very seriously. Some approaches to improve mobile device security are utilizing endpoint management products such as Mobile Iron or Zenprise to enable features described above as well as check for Jailbroken devices (More info on this subject can be found HERE). Employees may not be willing to apply security applications on their mobile devices, which IT could focus on protecting the network as well as data that rests on mobile devices as an alternative to MDM (mobile device management). Some examples are using access control technology to check if mobile device meets company standards before permitting access. Other options are leveraging Data Loss Prevention (DLP) technology, which stops sensitive data from moving to a mobile device or encrypting that data with additional authentication to access. Sandbox solutions are an alternative by locking down the data in a secure session that expires after use (example is Good Technology). Another important function to consider is enforcing VPN tunnels whenever a mobile device accesses data outside of the internal network. This protects against common man in the middle attacks targeted at mobile devices using open wireless networks.
The good news for employers is there are many options for securing mobile devices and the data they use. The investment in mobile security should at a minimal match securing other devices with sensitive data such as laptops and servers. Don’t let mobile devices be the weakest link into your network!