Risk
10/12/2012
02:18 PM
50%
50%

6 Reasons iOS 6 Jailbreaks Will Be Tough

Glory hounds hoping to jailbreak Apple's newest devices won't have an easy time of it. Security experts detail the challenges.

Apple iOS 6: 10 Most Interesting Features
Apple iOS 6: 10 Most Interesting Features
(click image for larger view and for slideshow)
Waiting for a jailbreak for the latest iOS 6 devices such as the iPhone 5? You might have to wait a while.

Jailbreaking your iPhone is now legal in the United States, even if Apple has historically discouraged the process. With Apple's release last month of iOS 6, iPhone hackers have, of course, set their sites on jailbreaking the new OS. So far no automated jailbreak is available for latest-generation iOS devices that run iOS 6. But software hacker Grant Paul claimed, to All Things Digital, that he'd jailbroken an iPhone 5 less than 24 hours after its release.

Last month, meanwhile, iPhone Dev-Team released Redsn0w, a tethered jailbreak for iOS 6, but it works only on A4-based and earlier devices, including the iPhone 4, iPhone 3GS, and iPod Touch 4th-generation. It won't, however, work on newer devices, including the iPhone 4s and 5, or the two latest generations of iPads.

[ Want to keep Apple's nose out of your browsing history? Here's how: iOS 6 Ad Tracking: How To Opt Out. ]

Could a full iOS 6 jailbreak, including for the latest Apple devices, be just around the corner? Don't bet on it. Here are six of the top challenges that would-be jailbreak developers will face:

1. Finding sufficient vulnerabilities takes smarts. "Jailbreaking is just overwriting some values in memory," said security researcher Charlie Miller, in a presentation at the RSA Conference in San Francisco earlier this year. (Miller is now a member of Twitter's security team.) But to overwrite those values, would-be jailbreakers must find unknown, exploitable vulnerabilities in iOS and then successfully chain these vulnerabilities together.

For example, Miller said, "JailbreakMe.com 3 was an end-to-end exploitation of all the security mechanisms that are in iOS 5." He noted that the software's developer, Comex, also found code signing bugs in iOS 2, and again in iOS 5, that would allow exploit processes to create memory regions to make exploitation easier.

Such knowledge is difficult to come by. "All the jailbreak developers are really freaking smart," said Dino Dai Zovi, CTO of security research firm Trail of Bits, at the RSA conference. As a result, he said, all of the exploits that have been used for jailbreaking have either been discovered by teams of researchers, "or [by] Comex, who's from the future."

2. Vulnerability hunting takes time. Finding new iOS bugs that can be chained together takes time. The self-described "Jailbreak Dream Team" behind the first untethered jailbreak for the iPhone 4S and iPad 2, dubbed Absinthe 2.0 and introduced in January 2012, said it took them 10 months to figure out how to jailbreak the new A5 chip used on those devices.

3. Website-based untethered jailbreaking is insanely difficult. The aforementioned Comex isn't legendary in jailbreaking circles just for creating jailbreaking software by himself, but also for allowing people to do it via a website. Indeed, unlike other jailbreaks, which require a USB cable, Comex's can be installed simply by visiting the JailbreakMe.com website. But Comex's last release was JailbreakMe version 3, in July 2011, and it works only on iOS devices up to the iPhone 4.

The real identify of the iOS hacker who calls himself Comex was last year revealed by Forbes as a 20-year old Brown University student named Nicholas Allegra. Interestingly, Allegra last year announced that while on a break from Brown, he would be interning for Apple. Might Apple developers have gleaned some proactive iOS security suggestions from him? If so, it would mean further trouble for would-be jailbreakers.

4. Apple's update clock begins ticking after jailbreaks are released. Once they go public, exploits have a short shelf life. Indeed, whenever a new jailbreak appears, Apple begins patching the exploited vulnerabilities. "Let's talk about jailbreakme.com 2 [which debuted in July 2010]," said Zovi, who together with Miller helped co-author the iOS Hacker's Handbook, which was released in May 2012.

"Once you drop all these bugs, it gets fixed instantly," Zovi said, noting that after version 2 of jailbreakme.com debuted, it took Apple just two weeks to release an update that blocked the vulnerabilities that the jailbreak had used.

5. Early iOS 6 exploit was not a jailbreak. At the Hack in the Box conference in Kuala Lumpur earlier this month, Azimuth Security researchers Mark Dowd and Tarjei Mandt demonstrated a kernel exploit that allowed them to install and run Cydia--an application that can be used to search for and install apps onto a jailbroken iPhone--on an iPhone 5 running iOS 6. But they noted that their kernel exploit alone couldn't be used to jailbreak iOS 6 devices.

6. Apple keeps locking down iOS. Unfortunately for would-be jailbreakers, iOS 6 will arguably be the toughest mobile Apple OS to crack. According to Dowd and Mandt's presentation, Apple has added a number of features that have improved iOS 6 security, in part by better hardening the iOS kernel--the central component of the operating system--against exploits, better protecting against memory or heap corruption errors, and improving stack overflow prevention. In addition, Apple added new information leakage mitigations, including zeroing out some application programming interfaces (APIs) that had previously been used to execute successful kernel-level exploits. Apple also made address space layout randomization (ASLR) even more random and thus more difficult to circumvent.

All told, these iOS 6 mitigations significantly raise the bar, according to the researchers, who noted that many of the old tricks don't work, including bugs that previously could have been exploited to help trigger a jailbreak.

In Search of Jailbreaks

With the above discussion of jailbreaks, a caveat: there's a reason that information security managers discourage--if not actively block--jailbroken iPhones or iPads from accessing the corporate network. "What happens when you do jailbreak your phone--what does it do to the security architecture?" said Miller at RSA. "It turns out that it breaks everything. ... It turns off code signing, of course--that's why you jailbreak it. But code signing is tied to app permissions ... [and] all the things you download can run as root." That means there's no sandbox to prevent attackers from exploiting an app, then using it as a stepping stone to exploit the device in other ways.

The JailbreakMe website, however, has this to say in its FAQ: "By itself, jailbreaking does not make you vulnerable. However, a common mistake for jailbreakers is to install OpenSSH but forget to change the passwords for root and mobile; this lets anyone log into your device over the Internet."

Miller, however, disagrees. "After jailbreaking an iOS device," he said, "you really increase the risk of something bad happening."

A security information and event management system serves as a repository for all the security alerts and logging systems from a firm's devices. But this can be overkill for a company that is understaffed or has overestimated its security information needs. In our report, Does SIEM Make Sense For Your Company?, we discuss 10 questions to ask yourself in determining whether SIEM makes sense for you--and how to pick the right system if it does. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
JackOfficer
50%
50%
JackOfficer,
User Rank: Apprentice
10/16/2012 | 9:52:39 AM
re: 6 Reasons iOS 6 Jailbreaks Will Be Tough
same shit, different day...nothing new in this article.
3 of the 6 "points" talk about JailbreakMe.com that hasent worked since iOS 4...so that info is outdated/useless. also, lets say there is a current exploit, what self-respecting hacker would release it for iOS 6 which is known to all as garbage. so wait til apple is done apologizing for iOS 6 and release it when apple fixes their crap :)
Justin Freid
50%
50%
Justin Freid,
User Rank: Apprentice
12/1/2012 | 4:14:59 AM
re: 6 Reasons iOS 6 Jailbreaks Will Be Tough
Interesting coverage. Any chance at getting a one on one with a couple of the iOS hackers?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?