iPhone Jailbreak App Tunnels Through PDF Flaw
Aug 3, 2010 11:36 AM PT
The process consists of a one-two punch, according to Charles Miller, principal analyst of software security at Independent Security Evaluators.
A remote exploit related to the way iOS renders PDFs lets hackers execute code on devices running the operating system, such as iPhone 4s, iPads and iPod touches, Miller told MacNewsWorld. The exploit is chained with another exploit that gains administrative privileges on the iOS devices.
While the JailbreakMe site uses the exploit to perform an operation the user presumably wants it to perform, the same flaw could expose enterprises to security breaches.
Apple has always frowned on jailbreaking, but it's not clear what the company will do to combat JailBreakMe. Its options include issuing a patch to fix the flaw, or even bricking jailbroken devices -- issuing an update that renders jailbroken phones uses.
How JailbreakMe Works
JailbreakMe requires a two-step process in order to succeed, said Miller.
"Apple's design doesn't allow admin privileges needed for things like jailbreaking since the Safari browser runs as a non-administrative user in a sandbox," Miller explained. Thus, the remote exploit stalls in the sandbox, and requires the second exploit to break out of the sandbox and gain administrative privileges.
"Between these two exploits, the jailbreakme.com website is able to perform administrative root actions such as jailbreaking a device running iOS," Miller said. The vulnerabilities JailbreakMe attacks seem to be "in the way iOS renders fonts and some problem with the IOKit framework," he added.
The PDF format is often buggy, Miller remarked.
"PDF's a complicated format that's bug prone," Miller pointed out. "I found more than 40 exploitable PDF bugs on OS X and iOS and talked about them during my presentation at CanSecWest in March."
CanSecWest is a security conference held annually in Vancouver, Canada, in March.
Implications of JailbreakMe
The act of jailbreaking iPhones is nothing new, Miller pointed out.
"The new aspect now is that a website can jailbreak an iOS 4 device remotely without the user's permission," he said. "So, a less friendly website than JailbreakMe.com could install malware on devices instead of just jailbreaking them," he added.
"A malicious person could exploit this vulnerability to do many other bad things if they can trick a user into loading a malicious PDF," warned Randy Abrams, director of technical education at ESET. "That may not be terribly hard to do."
Hackers commonly use malicious PDFs in their attacks. Symantec's MessageLabs Intelligence Report in June noted that 25 percent of all global spam was related to the World Cup, which was being held at the time. Brazil was the focus of targeted attacks that used a PDF attachment jointly with a malicious link to bypass traditional security measures, the report stated.
Jailbroken iPhones could be a "serious problem" on corporate networks, ESET's Abrams remarked.
"A jailbroken iPhone could run applications that might steal data from networks, for example," Abrams explained.
Still, such iPhones would have limited access to enterprise resources in properly configured corporate networks.
"It's essential that the enterprise has policies that govern the use of mobile devices on the network," Abrams said. "If the policy forbids the use of a jailbroken device on the network, then it's doubtful that IT has legal exposure, unless it can be shown to have knowledge that the device was being used, and chose not to enforce the policy."
Can Apple Bite Back?
Apple will likely issue a patch to fix the PDF flaw.
"If Apple doesn't, iPhones will soon be plagued with malware delivered through drive-by downloads," ISE's Miller predicted.
Last September, iPhone users were hit twice by malware. One attack, the "Duh" worm, gave control of victims' devices to a botnet command server in Lithuania. It spread through several countries. The other, the "Ikee" worm, was created as a prank, and its creator, Australian student Ashley Towns said he built it to remind owners of jailbroken iPhones to change the device's default login password.
In the meantime, enterprise IT should contact Apple support for guidance on how to detect whether or not a jailbroken device is being used on the corporate network, ESET's Abrams said.
One other option open to Apple is to "brick" jailbroken devices by issuing a software update that shuts them down. In September of 2007, Apple issued an update that effectively bricked hacked iPhones.
This time around, Cupertino may not be able to brick jailbroken devices so easily.
"It might be illegal for Apple to brick jailbroken devices deliberately," ESET's Abrams pointed out. "The government has already said that it's not a DMCA violation to jailbreak devices running iOS 4."
Bricking jailbroken iOS 4 devices could result in a backlash, ISE's Miller opined.
"This step would upset a large number of people," Miller said.