Risk
10/12/2012
02:18 PM
50%
50%

6 Reasons iOS 6 Jailbreaks Will Be Tough

Glory hounds hoping to jailbreak Apple's newest devices won't have an easy time of it. Security experts detail the challenges.

Apple iOS 6: 10 Most Interesting Features
Apple iOS 6: 10 Most Interesting Features
(click image for larger view and for slideshow)
Waiting for a jailbreak for the latest iOS 6 devices such as the iPhone 5? You might have to wait a while.

Jailbreaking your iPhone is now legal in the United States, even if Apple has historically discouraged the process. With Apple's release last month of iOS 6, iPhone hackers have, of course, set their sites on jailbreaking the new OS. So far no automated jailbreak is available for latest-generation iOS devices that run iOS 6. But software hacker Grant Paul claimed, to All Things Digital, that he'd jailbroken an iPhone 5 less than 24 hours after its release.

Last month, meanwhile, iPhone Dev-Team released Redsn0w, a tethered jailbreak for iOS 6, but it works only on A4-based and earlier devices, including the iPhone 4, iPhone 3GS, and iPod Touch 4th-generation. It won't, however, work on newer devices, including the iPhone 4s and 5, or the two latest generations of iPads.

[ Want to keep Apple's nose out of your browsing history? Here's how: iOS 6 Ad Tracking: How To Opt Out. ]

Could a full iOS 6 jailbreak, including for the latest Apple devices, be just around the corner? Don't bet on it. Here are six of the top challenges that would-be jailbreak developers will face:

1. Finding sufficient vulnerabilities takes smarts. "Jailbreaking is just overwriting some values in memory," said security researcher Charlie Miller, in a presentation at the RSA Conference in San Francisco earlier this year. (Miller is now a member of Twitter's security team.) But to overwrite those values, would-be jailbreakers must find unknown, exploitable vulnerabilities in iOS and then successfully chain these vulnerabilities together.

For example, Miller said, "JailbreakMe.com 3 was an end-to-end exploitation of all the security mechanisms that are in iOS 5." He noted that the software's developer, Comex, also found code signing bugs in iOS 2, and again in iOS 5, that would allow exploit processes to create memory regions to make exploitation easier.

Such knowledge is difficult to come by. "All the jailbreak developers are really freaking smart," said Dino Dai Zovi, CTO of security research firm Trail of Bits, at the RSA conference. As a result, he said, all of the exploits that have been used for jailbreaking have either been discovered by teams of researchers, "or [by] Comex, who's from the future."

2. Vulnerability hunting takes time. Finding new iOS bugs that can be chained together takes time. The self-described "Jailbreak Dream Team" behind the first untethered jailbreak for the iPhone 4S and iPad 2, dubbed Absinthe 2.0 and introduced in January 2012, said it took them 10 months to figure out how to jailbreak the new A5 chip used on those devices.

3. Website-based untethered jailbreaking is insanely difficult. The aforementioned Comex isn't legendary in jailbreaking circles just for creating jailbreaking software by himself, but also for allowing people to do it via a website. Indeed, unlike other jailbreaks, which require a USB cable, Comex's can be installed simply by visiting the JailbreakMe.com website. But Comex's last release was JailbreakMe version 3, in July 2011, and it works only on iOS devices up to the iPhone 4.

The real identify of the iOS hacker who calls himself Comex was last year revealed by Forbes as a 20-year old Brown University student named Nicholas Allegra. Interestingly, Allegra last year announced that while on a break from Brown, he would be interning for Apple. Might Apple developers have gleaned some proactive iOS security suggestions from him? If so, it would mean further trouble for would-be jailbreakers.

4. Apple's update clock begins ticking after jailbreaks are released. Once they go public, exploits have a short shelf life. Indeed, whenever a new jailbreak appears, Apple begins patching the exploited vulnerabilities. "Let's talk about jailbreakme.com 2 [which debuted in July 2010]," said Zovi, who together with Miller helped co-author the iOS Hacker's Handbook, which was released in May 2012.

"Once you drop all these bugs, it gets fixed instantly," Zovi said, noting that after version 2 of jailbreakme.com debuted, it took Apple just two weeks to release an update that blocked the vulnerabilities that the jailbreak had used.

5. Early iOS 6 exploit was not a jailbreak. At the Hack in the Box conference in Kuala Lumpur earlier this month, Azimuth Security researchers Mark Dowd and Tarjei Mandt demonstrated a kernel exploit that allowed them to install and run Cydia--an application that can be used to search for and install apps onto a jailbroken iPhone--on an iPhone 5 running iOS 6. But they noted that their kernel exploit alone couldn't be used to jailbreak iOS 6 devices.

6. Apple keeps locking down iOS. Unfortunately for would-be jailbreakers, iOS 6 will arguably be the toughest mobile Apple OS to crack. According to Dowd and Mandt's presentation, Apple has added a number of features that have improved iOS 6 security, in part by better hardening the iOS kernel--the central component of the operating system--against exploits, better protecting against memory or heap corruption errors, and improving stack overflow prevention. In addition, Apple added new information leakage mitigations, including zeroing out some application programming interfaces (APIs) that had previously been used to execute successful kernel-level exploits. Apple also made address space layout randomization (ASLR) even more random and thus more difficult to circumvent.

All told, these iOS 6 mitigations significantly raise the bar, according to the researchers, who noted that many of the old tricks don't work, including bugs that previously could have been exploited to help trigger a jailbreak.

In Search of Jailbreaks

With the above discussion of jailbreaks, a caveat: there's a reason that information security managers discourage--if not actively block--jailbroken iPhones or iPads from accessing the corporate network. "What happens when you do jailbreak your phone--what does it do to the security architecture?" said Miller at RSA. "It turns out that it breaks everything. ... It turns off code signing, of course--that's why you jailbreak it. But code signing is tied to app permissions ... [and] all the things you download can run as root." That means there's no sandbox to prevent attackers from exploiting an app, then using it as a stepping stone to exploit the device in other ways.

The JailbreakMe website, however, has this to say in its FAQ: "By itself, jailbreaking does not make you vulnerable. However, a common mistake for jailbreakers is to install OpenSSH but forget to change the passwords for root and mobile; this lets anyone log into your device over the Internet."

Miller, however, disagrees. "After jailbreaking an iOS device," he said, "you really increase the risk of something bad happening."

A security information and event management system serves as a repository for all the security alerts and logging systems from a firm's devices. But this can be overkill for a company that is understaffed or has overestimated its security information needs. In our report, Does SIEM Make Sense For Your Company?, we discuss 10 questions to ask yourself in determining whether SIEM makes sense for you--and how to pick the right system if it does. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
JackOfficer
50%
50%
JackOfficer,
User Rank: Apprentice
10/16/2012 | 9:52:39 AM
re: 6 Reasons iOS 6 Jailbreaks Will Be Tough
same shit, different day...nothing new in this article.
3 of the 6 "points" talk about JailbreakMe.com that hasent worked since iOS 4...so that info is outdated/useless. also, lets say there is a current exploit, what self-respecting hacker would release it for iOS 6 which is known to all as garbage. so wait til apple is done apologizing for iOS 6 and release it when apple fixes their crap :)
Justin Freid
50%
50%
Justin Freid,
User Rank: Apprentice
12/1/2012 | 4:14:59 AM
re: 6 Reasons iOS 6 Jailbreaks Will Be Tough
Interesting coverage. Any chance at getting a one on one with a couple of the iOS hackers?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?