Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


6 Reasons iOS 6 Jailbreaks Will Be Tough

Glory hounds hoping to jailbreak Apple's newest devices won't have an easy time of it. Security experts detail the challenges.

Apple iOS 6: 10 Most Interesting Features
Apple iOS 6: 10 Most Interesting Features
(click image for larger view and for slideshow)
Waiting for a jailbreak for the latest iOS 6 devices such as the iPhone 5? You might have to wait a while.

Jailbreaking your iPhone is now legal in the United States, even if Apple has historically discouraged the process. With Apple's release last month of iOS 6, iPhone hackers have, of course, set their sites on jailbreaking the new OS. So far no automated jailbreak is available for latest-generation iOS devices that run iOS 6. But software hacker Grant Paul claimed, to All Things Digital, that he'd jailbroken an iPhone 5 less than 24 hours after its release.

Last month, meanwhile, iPhone Dev-Team released Redsn0w, a tethered jailbreak for iOS 6, but it works only on A4-based and earlier devices, including the iPhone 4, iPhone 3GS, and iPod Touch 4th-generation. It won't, however, work on newer devices, including the iPhone 4s and 5, or the two latest generations of iPads.

[ Want to keep Apple's nose out of your browsing history? Here's how: iOS 6 Ad Tracking: How To Opt Out. ]

Could a full iOS 6 jailbreak, including for the latest Apple devices, be just around the corner? Don't bet on it. Here are six of the top challenges that would-be jailbreak developers will face:

1. Finding sufficient vulnerabilities takes smarts. "Jailbreaking is just overwriting some values in memory," said security researcher Charlie Miller, in a presentation at the RSA Conference in San Francisco earlier this year. (Miller is now a member of Twitter's security team.) But to overwrite those values, would-be jailbreakers must find unknown, exploitable vulnerabilities in iOS and then successfully chain these vulnerabilities together.

For example, Miller said, "JailbreakMe.com 3 was an end-to-end exploitation of all the security mechanisms that are in iOS 5." He noted that the software's developer, Comex, also found code signing bugs in iOS 2, and again in iOS 5, that would allow exploit processes to create memory regions to make exploitation easier.

Such knowledge is difficult to come by. "All the jailbreak developers are really freaking smart," said Dino Dai Zovi, CTO of security research firm Trail of Bits, at the RSA conference. As a result, he said, all of the exploits that have been used for jailbreaking have either been discovered by teams of researchers, "or [by] Comex, who's from the future."

2. Vulnerability hunting takes time. Finding new iOS bugs that can be chained together takes time. The self-described "Jailbreak Dream Team" behind the first untethered jailbreak for the iPhone 4S and iPad 2, dubbed Absinthe 2.0 and introduced in January 2012, said it took them 10 months to figure out how to jailbreak the new A5 chip used on those devices.

3. Website-based untethered jailbreaking is insanely difficult. The aforementioned Comex isn't legendary in jailbreaking circles just for creating jailbreaking software by himself, but also for allowing people to do it via a website. Indeed, unlike other jailbreaks, which require a USB cable, Comex's can be installed simply by visiting the JailbreakMe.com website. But Comex's last release was JailbreakMe version 3, in July 2011, and it works only on iOS devices up to the iPhone 4.

The real identify of the iOS hacker who calls himself Comex was last year revealed by Forbes as a 20-year old Brown University student named Nicholas Allegra. Interestingly, Allegra last year announced that while on a break from Brown, he would be interning for Apple. Might Apple developers have gleaned some proactive iOS security suggestions from him? If so, it would mean further trouble for would-be jailbreakers.

4. Apple's update clock begins ticking after jailbreaks are released. Once they go public, exploits have a short shelf life. Indeed, whenever a new jailbreak appears, Apple begins patching the exploited vulnerabilities. "Let's talk about jailbreakme.com 2 [which debuted in July 2010]," said Zovi, who together with Miller helped co-author the iOS Hacker's Handbook, which was released in May 2012.

"Once you drop all these bugs, it gets fixed instantly," Zovi said, noting that after version 2 of jailbreakme.com debuted, it took Apple just two weeks to release an update that blocked the vulnerabilities that the jailbreak had used.

5. Early iOS 6 exploit was not a jailbreak. At the Hack in the Box conference in Kuala Lumpur earlier this month, Azimuth Security researchers Mark Dowd and Tarjei Mandt demonstrated a kernel exploit that allowed them to install and run Cydia--an application that can be used to search for and install apps onto a jailbroken iPhone--on an iPhone 5 running iOS 6. But they noted that their kernel exploit alone couldn't be used to jailbreak iOS 6 devices.

6. Apple keeps locking down iOS. Unfortunately for would-be jailbreakers, iOS 6 will arguably be the toughest mobile Apple OS to crack. According to Dowd and Mandt's presentation, Apple has added a number of features that have improved iOS 6 security, in part by better hardening the iOS kernel--the central component of the operating system--against exploits, better protecting against memory or heap corruption errors, and improving stack overflow prevention. In addition, Apple added new information leakage mitigations, including zeroing out some application programming interfaces (APIs) that had previously been used to execute successful kernel-level exploits. Apple also made address space layout randomization (ASLR) even more random and thus more difficult to circumvent.

All told, these iOS 6 mitigations significantly raise the bar, according to the researchers, who noted that many of the old tricks don't work, including bugs that previously could have been exploited to help trigger a jailbreak.

In Search of Jailbreaks

With the above discussion of jailbreaks, a caveat: there's a reason that information security managers discourage--if not actively block--jailbroken iPhones or iPads from accessing the corporate network. "What happens when you do jailbreak your phone--what does it do to the security architecture?" said Miller at RSA. "It turns out that it breaks everything. ... It turns off code signing, of course--that's why you jailbreak it. But code signing is tied to app permissions ... [and] all the things you download can run as root." That means there's no sandbox to prevent attackers from exploiting an app, then using it as a stepping stone to exploit the device in other ways.

The JailbreakMe website, however, has this to say in its FAQ: "By itself, jailbreaking does not make you vulnerable. However, a common mistake for jailbreakers is to install OpenSSH but forget to change the passwords for root and mobile; this lets anyone log into your device over the Internet."

Miller, however, disagrees. "After jailbreaking an iOS device," he said, "you really increase the risk of something bad happening."

A security information and event management system serves as a repository for all the security alerts and logging systems from a firm's devices. But this can be overkill for a company that is understaffed or has overestimated its security information needs. In our report, Does SIEM Make Sense For Your Company?, we discuss 10 questions to ask yourself in determining whether SIEM makes sense for you--and how to pick the right system if it does. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Justin Freid
Justin Freid,
User Rank: Apprentice
12/1/2012 | 4:14:59 AM
re: 6 Reasons iOS 6 Jailbreaks Will Be Tough
Interesting coverage. Any chance at getting a one on one with a couple of the iOS hackers?
User Rank: Apprentice
10/16/2012 | 9:52:39 AM
re: 6 Reasons iOS 6 Jailbreaks Will Be Tough
same shit, different day...nothing new in this article.
3 of the 6 "points" talk about JailbreakMe.com that hasent worked since iOS 4...so that info is outdated/useless. also, lets say there is a current exploit, what self-respecting hacker would release it for iOS 6 which is known to all as garbage. so wait til apple is done apologizing for iOS 6 and release it when apple fixes their crap :)
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-24
An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow.
PUBLISHED: 2019-06-24
VVX products using UCS software version 5.9.2 and earlier with Better Together over Ethernet Connector (BToE) application version 3.9.1 and earlier provides insufficient authentication between the BToE application and the BToE component, resulting in leakage of sensitive information.
PUBLISHED: 2019-06-24
In the miniOrange SAML SP Single Sign On plugin before 4.8.73 for WordPress, the SAML Login Endpoint is vulnerable to XSS via a specially crafted SAMLResponse XML post.
PUBLISHED: 2019-06-24
The MakerBot Replicator 5G printer runs an Apache HTTP Server with directory indexing enabled. Apache logs, system logs, design files (i.e., a history of print files), and more are exposed to unauthenticated attackers through this HTTP server.
PUBLISHED: 2019-06-24
The ABB IDAL FTP server is vulnerable to a buffer overflow when a long string is sent by an authenticated attacker. This overflow is handled, but terminates the process. An authenticated attacker can send a FTP command string of 472 bytes or more to overflow a buffer, causing an exception that termi...