Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/5/2010
08:30 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

iPad Hacked, Jailbroken

Unless you've been disconnected from the Internet, TV, and the free world - you know that Apple released the iPad. It only took about a day for a well-known iPhone OS hacking group -- the iPhone Dev team -- to Jailbreak the device using an unpatched security flaw.

Unless you've been disconnected from the Internet, TV, and the free world - you know that Apple released the iPad. It only took about a day for a well-known iPhone OS hacking group -- the iPhone Dev team -- to Jailbreak the device using an unpatched security flaw.According to early accounts, sales of the iPad have been success. According to Apple, more than 300,000 iPads were sold in the U.S. on the first day of availability.

Colleague Eric Zeman provided an excellent overview of the device at InformationWeek SMB.

The news of the Jailbreak came on April 4, via this Twitter update from iPhone Dev team member @MuscleNerd. The link displays a photo of a Unix-style prompt -- which generally means the hacker has gained full, root access to the device. With the iPad jailbroken, it's now possible to install applications by bypassing the Apple App store. That means it's possible to install applications not officially approved and vetted by Apple. But there's a steep cost: jailbroken iPads are no longer covered by their warranty and aren't eligible for OS updates.

There's been some speculation that the Jailbreak, dubbed Spirit, by the iPhone Dev team, is made possible by the same flaw that made it possible to jailbreak the iPhone OS 3.1.

Below is a video of the jailbroken iPad accepting terminal commands.

For my security and technology observations throughout the day, consider following me on Twitter.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: They said you could use Zoom anywhere.......
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13285
PUBLISHED: 2020-08-13
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issue reference number tooltip.
CVE-2020-16087
PUBLISHED: 2020-08-13
An issue was discovered in Zalo.exe in VNG Zalo Desktop 19.8.1.0. An attacker can run arbitrary commands on a remote Windows machine running the Zalo client by sending the user of the device a crafted file.
CVE-2020-17463
PUBLISHED: 2020-08-13
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
CVE-2019-16374
PUBLISHED: 2020-08-13
Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.
CVE-2020-13280
PUBLISHED: 2020-08-13
For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to excessive logging of an invite email error message.