NATIONAL HARBOR, Md. – A pair of Gartner Inc. analysts offered an unusual warning to enterprise security managers this week: Quiet, unassuming smartphone users may actually be dangerous hackers, putting their companies' security in jeopardy without even knowing it.
If we want to drive home anything here, it's prevent jailbreaking at any cost.
Lawrence Pingree, Gartner Inc.
Well, sort of. During a presentation on mobile device security at the Gartner 2012 Security & Risk Management Summit this week, analysts John Girard and Lawrence Pingree said if there's one new mantra to apply to enterprise bring-your-own-device (BYOD) security policies, it's that jailbroken devices pose a significant risk and should be banned from the enterprise network.
The term “jailbreaking” refers to the trend in which users bypass the software restrictions mobile device makers and carriers build into iOS and Android-based smartphones and tablets. Jailbreaking or rooting a device enables users to gain administrator-level privileges and use the hardware to run unauthorized applications and perform non-sanctioned functions, like Wi-Fi tethering.
While the analysts indicated only a small percentage of mobile device users jailbreak their devices, it's common for users to bring their jailbroken devices into the enterprise environment. That's all it takes for an attacker to use such a mobile device as a pivot point, often via a rogue mobile app, to bounce through firewalls and other defenses right onto the enterprise network.
The presenters focused on iOS and Android platforms because of their ubiquity and because they are the ones most commonly jailbroken: Research In Motion Ltd.'s BlackBerry platform is essentially impossible to jailbreak, they said, and Windows Mobile devices only account for a fraction of the market.
On the whole, Girard said, Apple's platform at its face is "great from an enterprise perspective" because it offers a single OS; one source from which applications can be downloaded and predictable vulnerabilities that can be defended.
"You're talking about a device an enterprise can understand," Girard said. "You can build a helpdesk process and policy around that."
Users of Apple's mobile devices are generally less likely to want to jailbreak their devices, Girard added, because they want to be able to update to the latest authorized OS version and take advantage of new features.
Android, however, is another matter. Because it's essentially an open source OS, any manufacturer can take the base code and modify it as they please.
"Google doesn't require [that] encryption or comprehensive management be effective in the device, so fragmentation becomes a problem," Girard said. "Heterogeneity is your friend when it comes to device security, but the problem is most exploits for Andorid are forward- and backward-compatible across all these versions."
Pingree said jailbreaking, or more precisely, rooting, the Android OS is the primary means of thwarting platform protections. In fact, he added, a process running root on the device has access to everything.
"If we want to drive home anything here," Pingree said, "it's prevent jailbreaking at any cost."
The presenters strongly advocated for a "no jailbreaking or rooting" rule to be incorporated in an organization's BOYD policies. While they also recommended broader technical safeguards, like a company-administered mobile device management (MDM) product and the use of certificates for any and all circumstances in which mobile devices access company resources, they said the simple process of mandating a device access passcode is a surprisingly effective tactic.
"Any device that has had its privileges escalated is a mine for information," Girard said, but even on a jailbroken device that's passcode-protected, an attacker would have to go after passwords and root certificates to get any valuable data.
"This is why just a basic passcode is enough so an attacker will give up," Girard said.