This month, Citizen Lab uncovered some incredibly sophisticated malware that takes advantage of three previously unknown vulnerabilities, now known as Trident, in Apple iOS. The malware, which is worth as much as one million dollars, essentially jailbreaks the affected iPhone and allows the culprits to steal all of the user’s information. It intercepts every call and text message, captures emails, contacts, data from Facebook, Skype, WhatsApp—everything you would use for communicating. The malware is activated by simply clicking on a link that the hackers send you. Now, when people carrying infected iPhones bring them to work and connect to the corporate network, it becomes clear that we need a way of detecting a jailbroken iPhone.
Any cybersecurity system can be thwarted if the people protected by it are unaware of the risks they may be taking. Your first basic step should always be to notify your team and urge them to keep iOS up to date. Fortunately, Apple is dedicated to consumer safety; after Citizen Lab informed them of the Trident vulnerabilities, Apple quickly created fixes in the latest update.
Detecting a Jailbroken iPhone with NetFlow
There are several ways to detect a jailbroken iPhone using a network traffic analyzer. I’ll be using Scrutinizer coupled with FlowPro Defender for these examples.
First, I ran a Host to Host with Destination FQDN report with filters that include only Apple devices. This works well for us because we’re a PC office, so any Apple device would be BYOD. Depending on your network topology, you can also add a filter for a device that you know all wireless BYOD traffic connects to.
Here, I would check for strange-looking destination FQDNs, but because we’re specifically on alert for malware that steals all information from communicative apps, I would also look for excessive usage of apps like Gmail and Skype.
We can drill down further, though. By switching to a Source > User Name by IP report, keeping the Apple filter in place, I can pull up a list of users connecting Apple devices to the corporate network.
And I can also check what each user’s device is connecting to by drilling down on the names.
Or I could let Scrutinizer do the heavy lifting for me by simply checking the Alarms tab. I checked the Bulletin Board by Policy > Indicators of Compromise (you can learn more about Indicators of Compromise here). In this case, I’m particularly interested in the Exploit Domains policy violation and even the Phishing Domains policy violation.
By clicking on Exploit Domain, I can pull up a list of descriptions and violator addresses for each violation. If I wanted to find out more about the user(s) who triggered the alarm, I could then run a report on the given violator address.
When investigating a possible cyber threat, context is crucial. Using these different methods will provide valuable information towards detecting a jailbroken iPhone on your network.
To see Scrutinizer in action for yourself, you can download a free trial here.