Get the ECT News Network Editor's Pick Newsletter » View Sample | Subscribe
Welcome Guest | Sign In
Women in Tech

iOS Patch Draws Fast Action From Jailbreakers

By Richard Adhikari MacNewsWorld ECT News Network
Aug 13, 2010 5:00 AM PT

Apple has issued a patch for the two iOS vulnerabilities that allowed iPhone owners to jailbreak their devices via the Web through the site

iOS Patch Draws Fast Action From Jailbreakers

It triggered a variety of reactions. Comex, the coauthors of the JailBreakMe exploit that leveraged the iOS 4 vulnerabilities to jailbreak the iPhone, promptly posted the code for the exploit on the Web. Though the JailbreakMe site used the exploit to hack the iPhones of willing users, others could use it for malicious purposes.

Hackers noted that Apple hadn't updated the baseband, which means that iOS 4.0.2, the patch, can be unlocked.

The iPhone Dev Team, another group of hackers that also published jailbreaks for the iPhone, issued its own fix for the original iPhone and iPod touch 1G, which weren't covered by Apple's patch.

Expect to see more jailbreaks in the future, and owners of jailbroken iPhones may want to avoid applying patches from Apple to fix any new flaws discovered in iOS.

Details of Apple's Patch

The iOS 4.0.2 update for iPhone and iPod touch can be downloaded and installed using iTunes, Apple Support said. It's available for iOS 2.0 through 4.01 on the iPhone 3G and later; and iOS 2.1 through 4.0 for the second-generation iPod touch and later.

One of the vulnerabilities the patch fixes lets hackers run code on victims' iOS devices when the latter view a PDF document containing malware. The attack works through a stack buffer overflow. Apple has improved bounds checking on iOS with the release of the patch.

The other vulnerability lets hackers who run malware on the iOS devices gain system privileges. It consists of an integer overflow in the handling of IOSurface properties. This issue is addressed through improved bounds clocking, Apple said.

"Apple's timely patch to the PDF vulnerability and one other exploitable vulnerability have made it more difficult to jailbreak the iPhone," Randy Abrams, director of technical education at ESET, told MacNewsWorld.

However, it's up to iPhone owners whether or not to install the patch.

"Installing the patch is always left up to the user, and is thus optional," Kevin Morgan, chief technology officer at Arxan Technologies, told MacNewsWorld.

Comex Strikes Back

Comex, a coauthor of the "JailBreakMe" exploit, released the source code on the Web shortly after Apple's patch release.

It also posted a tweet about the release.

That move drew criticism from ESET's Abrams. Though Comex detailed the exploit after the patch had been issued, iPhone users must first learn about and actively install the patch themselves. While malicious hackers have the exploit already, many iPhone users are still running around unprotected.

"Comex practiced extremely irresponsible vulnerability disclosure for its own self-interest," he said. "The vulnerability should have been reported quietly to Apple so as to allow Apple a reasonable amount of time to create a patch and release it instead of exposing millions of iPhone users to a high degree of risk."

The act of jailbreaking itself is not an issue, Abrams said; it's the "irresponsible nature of how Comex disclosed the PDF vulnerability" that irks him.

The Flaw in Apple's Patch

The iOS 4.0.2 patch may have fixed the two vulnerabilities exploited by the "JailBreakMe" site, but Apple failed to also update the baseband, Taimur Asad wrote on the Redmondpie blog.

"This means the 05.13.04 baseband which accompanies iOS 4.0.2 is still unlockable with ultrasn0w provided that you manage to jailbreak your iOS device," Asad said.

Hacking the baseband will unlock the iPhone so it accepts SIM cards from other carriers than AT&T in the U.S. and lets the hacker make calls on other carriers' networks. This is different from jailbreaking, where hackers get into iOS and gain read/write access to the file system.

At the moment, hackers can only unlock the iPhone 3G running iOS 4.0.2, Asad said.

iPhone Dev Team Saves Geriatric Devices

Apple's patch ignored original iPhone and iPod touch 1G users, the iPhone Dev Team pointed out.

"Even though Apple acknowledges in their security update the severity of these holes, they left iPhone 2G and iPod touch 1G owners high and dry -- completely vulnerable to truly malicious variants of jailbreakers," reads a statement from the team. "These variants aren't out yet, but they're sure to come."

The Dev Team also said iPhone expert Jay Freeman, whose Cydia apps market offers apps for jailbroken iPhones, has developed a package that will "fix the holes for all devices and all firmware versions going back to version 2.x." That package is available from Cydia now and prevents the JailBreakMe app from working on iOS devices, the Dev Team said.

"Jailbreakers can have their cake and eat it too," the Dev Team said.

Of Cats, Mice and Jailbreaks to Come

New jailbreak techniques will emerge that will require new patches, Arxan's Morgan predicted.

"The cat and mouse game will continue," he said.

Apple has never liked jailbroken iPhones; Morgan pointed out that jailbroken devices are a security problem.

"Jailbroken iPhones present a huge security risk to users given the nature of how a jailbreak works," Morgan explained. "Being able to install unsigned applications, modify system settings and access the operating system files can make the phone and its apps vulnerable to malware injection and compromise user information and intellectual property."

People jailbreak iPhones to "either remove apps that come pre-loaded, which they consider bloatware, or to avail themselves of applications outside the iTunes App Store," Morgan said.

The latter means consumers are accessing apps outside of Apple's control, and these apps may contain malware, be pirated, be considered inappropriate or be illegal, Morgan pointed out. This is also an issue for the Android and other mobile platforms.

Smartphone owners who jailbreak their devices have already compromised the vendor's security model, Morgan warned.

"At that point, apps they download can contain malware, as they haven't been vetted, and the user is on his own," Morgan said.

Subscribe to Tech News Flash Newsletter
Women in Tech
Which Big Tech CEO that testified at the Congressional Antitrust Hearing on July 29 is the most trustworthy?
Jeff Bezos of Amazon
Mark Zuckerberg of Facebook
Sundar Pichai of Google
Tim Cook of Apple
All of them are equally trustworthy to some extent.
None of them are trustworthy whatsoever.