Risk
10/12/2012
02:18 PM
Connect Directly
RSS
E-Mail
50%
50%

6 Reasons iOS 6 Jailbreaks Will Be Tough

Glory hounds hoping to jailbreak Apple's newest devices won't have an easy time of it. Security experts detail the challenges.

Apple iOS 6: 10 Most Interesting Features
Apple iOS 6: 10 Most Interesting Features
(click image for larger view and for slideshow)
Waiting for a jailbreak for the latest iOS 6 devices such as the iPhone 5? You might have to wait a while.

Jailbreaking your iPhone is now legal in the United States, even if Apple has historically discouraged the process. With Apple's release last month of iOS 6, iPhone hackers have, of course, set their sites on jailbreaking the new OS. So far no automated jailbreak is available for latest-generation iOS devices that run iOS 6. But software hacker Grant Paul claimed, to All Things Digital, that he'd jailbroken an iPhone 5 less than 24 hours after its release.

Last month, meanwhile, iPhone Dev-Team released Redsn0w, a tethered jailbreak for iOS 6, but it works only on A4-based and earlier devices, including the iPhone 4, iPhone 3GS, and iPod Touch 4th-generation. It won't, however, work on newer devices, including the iPhone 4s and 5, or the two latest generations of iPads.

[ Want to keep Apple's nose out of your browsing history? Here's how: iOS 6 Ad Tracking: How To Opt Out. ]

Could a full iOS 6 jailbreak, including for the latest Apple devices, be just around the corner? Don't bet on it. Here are six of the top challenges that would-be jailbreak developers will face:

1. Finding sufficient vulnerabilities takes smarts. "Jailbreaking is just overwriting some values in memory," said security researcher Charlie Miller, in a presentation at the RSA Conference in San Francisco earlier this year. (Miller is now a member of Twitter's security team.) But to overwrite those values, would-be jailbreakers must find unknown, exploitable vulnerabilities in iOS and then successfully chain these vulnerabilities together.

For example, Miller said, "JailbreakMe.com 3 was an end-to-end exploitation of all the security mechanisms that are in iOS 5." He noted that the software's developer, Comex, also found code signing bugs in iOS 2, and again in iOS 5, that would allow exploit processes to create memory regions to make exploitation easier.

Such knowledge is difficult to come by. "All the jailbreak developers are really freaking smart," said Dino Dai Zovi, CTO of security research firm Trail of Bits, at the RSA conference. As a result, he said, all of the exploits that have been used for jailbreaking have either been discovered by teams of researchers, "or [by] Comex, who's from the future."

2. Vulnerability hunting takes time. Finding new iOS bugs that can be chained together takes time. The self-described "Jailbreak Dream Team" behind the first untethered jailbreak for the iPhone 4S and iPad 2, dubbed Absinthe 2.0 and introduced in January 2012, said it took them 10 months to figure out how to jailbreak the new A5 chip used on those devices.

3. Website-based untethered jailbreaking is insanely difficult. The aforementioned Comex isn't legendary in jailbreaking circles just for creating jailbreaking software by himself, but also for allowing people to do it via a website. Indeed, unlike other jailbreaks, which require a USB cable, Comex's can be installed simply by visiting the JailbreakMe.com website. But Comex's last release was JailbreakMe version 3, in July 2011, and it works only on iOS devices up to the iPhone 4.

The real identify of the iOS hacker who calls himself Comex was last year revealed by Forbes as a 20-year old Brown University student named Nicholas Allegra. Interestingly, Allegra last year announced that while on a break from Brown, he would be interning for Apple. Might Apple developers have gleaned some proactive iOS security suggestions from him? If so, it would mean further trouble for would-be jailbreakers.

4. Apple's update clock begins ticking after jailbreaks are released. Once they go public, exploits have a short shelf life. Indeed, whenever a new jailbreak appears, Apple begins patching the exploited vulnerabilities. "Let's talk about jailbreakme.com 2 [which debuted in July 2010]," said Zovi, who together with Miller helped co-author the iOS Hacker's Handbook, which was released in May 2012.

"Once you drop all these bugs, it gets fixed instantly," Zovi said, noting that after version 2 of jailbreakme.com debuted, it took Apple just two weeks to release an update that blocked the vulnerabilities that the jailbreak had used.

5. Early iOS 6 exploit was not a jailbreak. At the Hack in the Box conference in Kuala Lumpur earlier this month, Azimuth Security researchers Mark Dowd and Tarjei Mandt demonstrated a kernel exploit that allowed them to install and run Cydia--an application that can be used to search for and install apps onto a jailbroken iPhone--on an iPhone 5 running iOS 6. But they noted that their kernel exploit alone couldn't be used to jailbreak iOS 6 devices.

6. Apple keeps locking down iOS. Unfortunately for would-be jailbreakers, iOS 6 will arguably be the toughest mobile Apple OS to crack. According to Dowd and Mandt's presentation, Apple has added a number of features that have improved iOS 6 security, in part by better hardening the iOS kernel--the central component of the operating system--against exploits, better protecting against memory or heap corruption errors, and improving stack overflow prevention. In addition, Apple added new information leakage mitigations, including zeroing out some application programming interfaces (APIs) that had previously been used to execute successful kernel-level exploits. Apple also made address space layout randomization (ASLR) even more random and thus more difficult to circumvent.

All told, these iOS 6 mitigations significantly raise the bar, according to the researchers, who noted that many of the old tricks don't work, including bugs that previously could have been exploited to help trigger a jailbreak.

In Search of Jailbreaks

With the above discussion of jailbreaks, a caveat: there's a reason that information security managers discourage--if not actively block--jailbroken iPhones or iPads from accessing the corporate network. "What happens when you do jailbreak your phone--what does it do to the security architecture?" said Miller at RSA. "It turns out that it breaks everything. ... It turns off code signing, of course--that's why you jailbreak it. But code signing is tied to app permissions ... [and] all the things you download can run as root." That means there's no sandbox to prevent attackers from exploiting an app, then using it as a stepping stone to exploit the device in other ways.

The JailbreakMe website, however, has this to say in its FAQ: "By itself, jailbreaking does not make you vulnerable. However, a common mistake for jailbreakers is to install OpenSSH but forget to change the passwords for root and mobile; this lets anyone log into your device over the Internet."

Miller, however, disagrees. "After jailbreaking an iOS device," he said, "you really increase the risk of something bad happening."

A security information and event management system serves as a repository for all the security alerts and logging systems from a firm's devices. But this can be overkill for a company that is understaffed or has overestimated its security information needs. In our report, Does SIEM Make Sense For Your Company?, we discuss 10 questions to ask yourself in determining whether SIEM makes sense for you--and how to pick the right system if it does. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Justin Freid
50%
50%
Justin Freid,
User Rank: Apprentice
12/1/2012 | 4:14:59 AM
re: 6 Reasons iOS 6 Jailbreaks Will Be Tough
Interesting coverage. Any chance at getting a one on one with a couple of the iOS hackers?
JackOfficer
50%
50%
JackOfficer,
User Rank: Apprentice
10/16/2012 | 9:52:39 AM
re: 6 Reasons iOS 6 Jailbreaks Will Be Tough
same shit, different day...nothing new in this article.
3 of the 6 "points" talk about JailbreakMe.com that hasent worked since iOS 4...so that info is outdated/useless. also, lets say there is a current exploit, what self-respecting hacker would release it for iOS 6 which is known to all as garbage. so wait til apple is done apologizing for iOS 6 and release it when apple fixes their crap :)
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

CVE-2014-0762
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows physically proximate attackers to cause a denial of service (infinite loop or process crash) via crafted input over a serial line.

CVE-2014-2380
Published: 2014-08-27
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows remote attackers to obtain sensitive information by reading a credential file.

CVE-2014-2381
Published: 2014-08-27
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows local users to obtain sensitive information by reading a credential file.

CVE-2014-3344
Published: 2014-08-27
Multiple cross-site scripting (XSS) vulnerabilities in the web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCuq31129, CSCuq3...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.