iPhone jailbreak exploit 'sweet' and 'scary,' says researcher

Perfect for drive-by attacks that hijack unsuspecting iPhones and iPads, says noted bug finder

The exploit used to jailbreak Apple's newest iPhone operating system is both "beautiful" and "scary," a noted vulnerability researcher said Monday.

And it's possible that criminals will use it to hijack anyone's iPhone , iPod Touch or iPad just by getting them to visit a malicious Web site.

That's Charlie Miller's take of the flaw in the mobile version of Apple's Safari browser that was used by someone identified as "comex" to jailbreak Apple's iOS 4.0.1.

"Jailbreak" is the term that describes the practice of hacking an iPhone to install apps not authorized by Apple.

Miller is a well-known security researcher with a reputation for hacking Macs and iPhones. A three-time winner at the annual Pwn2Own contest, and one of the three researchers who uncovered the first iPhone vulnerability in July 2007, Miller also demonstrated last year how to compromise an iPhone simply by sending a text message .

But he tipped his hat to comex, the Safari flaw comex found and the exploit the researcher crafted.

"Very beautiful work," Miller said of the exploit in a Twitter message Monday . "I'd have traded you 5 [exploits] for this exploit," he wrote in a follow-up tweet . "It's sweet."

Miller said he does not know comex, or the researcher's real name.

JailbreakMe 2.0 can be installed by browsing to the jailbreakme.com site with an iPhone, iPod Touch or iPad running iOS 4.0.1 or earlier. Moving the slider to the right kicks off the jailbreaking process.

"Not only does this elevate to the root, giving you complete control of the iPhone, but it breaks out of the sandbox," said Miller in an interview Monday, referring to the isolation technology designed to block rogue code from escaping the mobile Safari browser.

"There's no shell on the iPhone, so [comex] had to do all that himself to get control," Miller continued. "He elevated to root, turned off all code signing, broke out of the sandbox...all in the payload of the exploit.

"And it works every time. Not just a few times out of a hundred. But every time."

As proof, several people, including Miller, have posted photographs of jailbroken iPhones in Apple's own retail stores, the devices hacked by customers who browsed to jailbreakme.com.

In one of his tweets, Miller added, "Scary how it totally defeats Apple's security architecture."

Miller said he had not reverse-engineered the exploit to see how it works -- "I don't have any motivation to do that," he noted -- but said that that was certainly "doable." Someone will figure out how JailbreakMe works, he said. And until Apple patches the vulnerability in Safari, iPhone and iPod Touch and iPad users will be at risk.

"Rather than download and install the jailbreak, it could just as easily be used to download and install malware," Miller said.

Others agreed. Marc Fossi, the director of Symantec's security response team, said his group is digging into the exploit. "While the only currently-known exploit for this issue is non-malicious, it is quite possible for an attacker to alter the existing payload for malicious purpose," said Fossi in an e-mail Tuesday. "As such, iPhone users should be cautious when browsing to unsolicited or suspicious websites."

Fossi's efforts have been focused on determining whether the desktop editions of Safari on Mac OS X and Windows are also vulnerable. So far, the risk to users of Apple's browser on the Mac or a Windows PC is unclear, he said in a follow-up instant message.

According to Fossi and other researchers, including those at Helsinki-based F-Secure, the JailbreakMe exploit is actually a multi-stage hack. Step one, said the experts, is a PDF font-parsing flaw in mobile Safari; step two, Fossi added, is a local exploit used to gain root privileges on the iPhone.

Although Adobe claimed yesterday that early testing indicated that the current edition of Adobe Reader, version 9.3.3 is not vulnerable, F-Secure disagreed.

"In our testing, the PDF files [used in the exploit] crash both Adobe Reader and Foxit on Windows," F-Secure said in a Tuesday blog post .

Miller warned that the exploit could be used to launch drive-bys that would compromise any Apple mobile device that browsed to a malicious site harboring the attack code. "A drive-by download would own your iPhone," he said.

According to F-Secure, the exploit's first stage relies on a corrupted font inside a PDF file to crash the Compact Font Format (CFF) handler.

Apple 's policy is to decline comment on security issues until a patch is available. The company also does not announce timelines for iOS updates, although iOS 4.1 is reportedly already in the hands of beta testers.

Join the PC World newsletter!

Error: Please check your email address.

Tags Appleconsumer electronicssecuritysmartphonesPhonesMacintoshMalware and Vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?