Newly discovered malware is believed to have stolen the login credentials of more than 225,000 iPhone users. The compromise of such a large number of accounts makes KeyRaider, as the new stream of malware is being christened, one of the most damaging pieces of malware ever discovered in the Apple universe.
At the same time, however, KeyRaider, first publicized by security pros at Palo Alto Software in cooperation with peers from the WeiPhone tech team, only impacts people who have "jailbroken" their phones (that is, used special software to remove various restrictions that Apple normally puts in place) and downloaded software from the Cydia app repository. IPhones that have not been jailbroken are not vulnerable to this particular malware. Most iPhone users can, therefore, breathe easily.
Besides login credentials, KeyRaider is believed to have allowed criminals to steal thousands of certificates, private keys, and receipts from online purchases. The criminals behind the attack leveraged the stolen information to make, and allow others to make, unauthorized purchases from Apple. Criminals may also be able to lock people's phones and demand a ransom to unlock them.
This incident highlights the risk of jailbreaking devices: If you undermine the security that was designed and built into devices by teams with significant information-security knowledge, you take on responsibility to secure your device from all sorts of risks--many of which you likely do not have significant knowledge. KeyRaider also undermines the oft-repeated, but certainly false, claim that Apple devices cannot be infected with malware.
As Alex Berger, senior product marketing manager at STEALTHbits Technologies, noted: "Users who decide to jailbreak their phones are essentially undermining their phone's OS security by giving themselves root access to the file system so that they can install any applications they'd like on the device. Jailbreaking is analogous to destroying the locks on all the doors in the office because you're tired of not having access to the backdoor ("But it's closer to my car!") whenever you want. Locks exist for a number of reasons, and generally the biggest one is security. In this case, sacrificing security for convenience was exploited by people with malicious intentions, and iPhone users made it infinitely easier by crippling the locks."
Jonathan Sander, VP of product strategy at Lieberman Software, pointed out, "Once again we see that jailbreaking just means your iPhone is broken when it comes to security. Sophisticated users may chafe at Apple's closed system surrounding the iPhone and App Store, but it's hard to argue with the security outcomes. Jailbreaking essentially puts the higher-level rights reserved for Apple on the iPhone in the hands of the user and quickly into the hands of the bad guys. When the bad guys can act like Apple on your iPhone, then they can do anything they want to you."
The success of KeyRaider is also likely to motivate criminals to create other forms of similar malware in the future.
As Tim Erlin, director of IT security and risk strategy at Tripwire, noted, "Users may be acutely aware of the limitations that are imposed on the iPhone by Apple, but they might not think through the protections that the Apple ecosystem puts in place to prevent this kind of attack. Jailbreaking your iPhone delivers increased flexibility, but it comes at a cost. The world outside of Apple's universe isn't always so safe. There's little doubt that this malware will pay dividends for whoever wielded it. Its success is likely to spawn more of these types of malware."
Please feel free to discuss this article with me. I’m on Twitter at @JosephSteinberg.