1.1.1 Jailbreak Complete, Security Ramifications

[Orge]

Correct.

And the number of people that installed 3rd party hacks and took the poll on one of the most popular mac web sites....

http://www.macpolls.com/?poll_id=560

4,851

Out of 1.X million iphones.

Actually, if you look at the stats on that poll:
31% Installed Apps
29% Didn't install apps
40% Don't own an iphone

That would mean that 50% of the respondees, who had iphones, had installed 3rd party applications... It would be as unfair to extrapolate these stats up to the entire iphone user base (as macpolls readers may be biased), but your argument is bs.

Between the apptap/installer download stats and this survey, it's probably fair to suggest that 5-10% of iphone users may have used some 3rd party applications. That's a few more than "5000" users and quite a feat, when you consider the process involves hacking... You would have to be pretty blinkered to presume that the only people this appeals to are hackers and geeks.

J

 

[guzhogi]

This is CE device. The majority of people buying it have no interest in hacking it. They're too busy working or using their iPhones productively to hack it so they can run an NES emulator. Woohoo!

You're living in a fantasy land if you think 50% of iPhone customers are hacking their phones. Try .5%.

I didn't say it was 50%, just saying that if that even 1% is still a large number of people (about 10,000 for every 1,000,000). And don't forget the people who may not have hacked their phones, but wanted to. Just b/c people don't do something doesn't mean they don't WANT to.

Sounds like the kid who thinks that if he tantrums enough, his parents will give him what he wants. Utterly puerile logic.

What if throwing a tantrum actually works? In my experience, sometimes the only way to get things done is by throwing a tantrum. Many people today are just too apathetic to do anything. They may say that's too difficult, not worth the effort. That's BS, IMO. Sure somethings can't change, but people have got to try.

While I agree with those who say Apple shouldn't open up right away, they should still open up the iPhone & iPod Touch sometime.

 

[Unspeaked]

"It let US create...", as in Apple, not as in random hacker. Sure, down the road, Apple might release an SDK or start working with a handful of blessed developers. All possible. But that's pure speculation and has nothing to do with "jailbreaking" the phone.

Don't backtrack...

I never said anything about third party applications, I just pointed out that the iPhone was not the same as the iPod in that it was created with the intention of expansion.

You replied by saying by saying that just because it has OS X on it didn't mean there'd be any future application development.

I never made any qualifiers about third party apps, I was simply trying to say the iPhone is far from the static device the iPod originally was.

 

[Unspeaked]

Between the apptap/installer download stats and this survey, it's probably fair to suggest that 5-10% of iphone users may have used some 3rd party applications. That's a few more than "5000" users and quite a feat, when you consider the process involves hacking... You would have to be pretty blinkered to presume that the only people this appeals to are hackers and geeks.

You bring up excellent points, but I'm afraid those that don't want to see and hear will continue covering their eyes and ears.

 

[edoates]

Woot! Sort of. Well, I def. consider this good news


edit: does anybody know what this means for iPhone AT&Tless activation? I've been waiting to buy an iPhone until the thing can be activated without AT&T service....

You "good news" guys are nuts. This requires a security hole in Safari and we should not be applauding such flaws, rather clamoring for Apple to fix them; and they will asap. 1.1.2 can't be far away. And that security patch will be the good news.

to respond to your edit: if you don't want ATT, don't buy this phone. There are other non-Apple choices. Sprint/Nextel lost 300,000 subscribers last year or so according to Sprint news releases, and many went to ATT and Verizon. If iPhones didn't sell well due to the ATT connection, you can bet that the deal would be renegotiated. But when you buy one, even if you intend to unlock it, the Apple and ATT is reinforced and they think it is working.

Eddie O.

 

[artalliance]

Why is it any of your business or concern what people do with the things they buy themselves?

That's exactly the point - most of us DON'T CARE what you do with your phone.
Just don't come back and complain about the potential damages YOUR actions have created. Deal?

 

[EagerDragon]

Yep, this is certainly a very temporary situation. It would be impossible to imagine Apple won't close this hole, since it is a security issue.

If I had time, I'd explore how a malformed TIFF could gain you root access. Anybody have a 3 sentence summary?

Edit: Someone said "Apple Approved" applications. Why does Apple have to approve them? They don't for regular Mac applications, thank god. If all apps have to go through some certification scheme, we'll be limited to what we get. In the end, don't install shady apps from shady people (like always) and you'll be fine!

Yes, see my previous posts in "

Preliminary iPhone 1.1.1 'Jailbreak', Ringtones Soon?" thread.

The way most of these work is that they change the size or the repeat count specified in the data structure of the tiff file so it looks reasonable, then they change the actual size of the byte string to a huge number of characters. The code of the decoder only implements a small amount of data validation and copies the huge string into an area of memory that is much smaller (due to the lie on the size). This corrupts memory and sooner or later it blows. If they know exactly what is in that memory they can figure out where the return address is in the stack. By overwritting the stack so the return address from the routine call points to the malicious code that is part of the "TIFF file", they fool the system into executing the code. This is a very old technique.

How they get root???? Well Apple is running all the code as root, so taking over any application or process results in root access.

Also this could have been mitigated if they were marking some of the memory as non-executable. Some of the CPU (s) have this facility so if they overwrite a section of memory that is not executable, the hack will not work.

Not sure who their security guy is but I wish I had his phone number.

 

[Random Ping]

This means two things, I think

1. there is a error (bug) in the TIFF reader library some place and,
2. They are running safari as root.

Both of the above should be embarrassing to Apple.

The iPhone OS supports sandboxing (as will Leopard), which (in theory) should prevent a vulnerable application from being able to do very much. Jobs even highlighted Safari on the iPhone being sandboxed at one of the talks.

Maybe its not quite done yet.

 

[robbyx]

What if throwing a tantrum actually works? In my experience, sometimes the only way to get things done is by throwing a tantrum. Many people today are just too apathetic to do anything. They may say that's too difficult, not worth the effort. That's BS, IMO. Sure somethings can't change, but people have got to try.

Well, I don't think a tantrum ever gets you what you want. And it certainly never earns you respect.

The only way third party application development is EVER going to happen for the iPhone is if Apple releases an SDK. Otherwise, hack it all you want, but you constantly run the risk of Apple shutting you down. And I don't know about you, but I use/buy third party applications because they add value and I know they will work. I wouldn't bother with a third party app that I knew might one day (soon) be rendered inoperable by a system update. What's the point?

 

[EagerDragon]

Yep, this is certainly a very temporary situation. It would be impossible to imagine Apple won't close this hole, since it is a security issue.

If I had time, I'd explore how a malformed TIFF could gain you root access. Anybody have a 3 sentence summary?

Edit: Someone said "Apple Approved" applications. Why does Apple have to approve them? They don't for regular Mac applications, thank god. If all apps have to go through some certification scheme, we'll be limited to what we get. In the end, don't install shady apps from shady people (like always) and you'll be fine!

three things:
The iphone runs OSX but is not a MAC
The iPhone is not protecting memory appropriatly
The Iphone is running the applications as root

Any program can step all over all the data and other programs. That is why they need approval. iPhone is not the same as a Mac and is not as secured.

 

[EagerDragon]

I unlocked mine, and it is still 1.0.2 (as I fear that upgrading to 1.1.1 will brick it!) --

Is anyone else in this situation? I mean I love having it unlocked and with all the apps, but sure I'd like to have my cake and eat it too (unlocked/apps, AND 1.1.1)...

Thanks!

When Leopard comes out you are going to miss a lot of nice features by not upgrading the iPhone. Since you did unlock it, you risk a brick.

 

[edoates]

Yep, this is certainly a very temporary situation. It would be impossible to imagine Apple won't close this hole, since it is a security issue.

If I had time, I'd explore how a malformed TIFF could gain you root access. Anybody have a 3 sentence summary?

Edit: Someone said "Apple Approved" applications. Why does Apple have to approve them? They don't for regular Mac applications, thank god. If all apps have to go through some certification scheme, we'll be limited to what we get. In the end, don't install shady apps from shady people (like always) and you'll be fine!

Apple wants to "approve" applications, or at least put them in a secure container to avoid the nightmare that 3rd party applications are on the Palm phones. As far as I can tell, 100% of Palm 3rd party applications break something and/or make the phone unreliable.

Key to a good user experience on any cell phone is as close to 100% reliability as you can get. And anything which freezes or otherwise lowers that standard is perceived by users to be the manufacturers problem; no one seems to blame that cool game they just installed, or that Word document reader. Apple wants to avoid that issue by controlling what goes onto the phone.

If all the folks putting random 3rd party applications on the phone were sophisticated and understood who to blame when it all broke, Apple might ease up. But that is not the case. Folks will install all manner of junk and blame Apple when the phone fails to perform as expected. And as we've seen by the "unlock" hacks, if the 3rd party application messes with things too deeply, such things may actually make it difficult for Apple and/or the user to restore it back to its virgin state again. It's sort of like pernicious viruses on Windows: once they are there, some of them are exceedingly difficult to eradicate.

Eddie O

 

[EagerDragon]

Yeah I agree! I don't get all the Hype on this! I can see it now. People install a bunch of Apps on their iPhone and iPod Touch and several weeks later Apple puts out an irresistable update and Wham all the crying begins again! It's like people are a glutton for self-punishment! A never ending cyle!

Until Apple puts out an SDK I for one would not want to play this game! Good Luck All!

And unfortunatly we have to hear their cries over and over again.

 

[phillipjfry]

Now that 1.1.1 is known to be jailbreakable and through a safari vulnerability at that, I wonder what kind of features 1.1.2 Apple will bring us to entice the 1.1.1 and 1.0.2's to upgrade?

I'm not a 100% on this, but basically, when safari loads the TIFF it places it in the memory heap. executable intructions are actually allowed to be run from the heap. This means that if the TIFF contains "malicious" code, and the hacker is able to direct the program execution to an address in the heap, the malicious code will be executed. So basically the problem for the hackers have been to redirect the program counter to an address in the heap, which was a bit tricky due to the return address beeing stored in a dedicated register.

Someone please correct me if I'm wrong.

Sounds complicated. So you must be right.

 

[EagerDragon]

Welcome to the age of entitlement and victimhood, please be sure to pick up your free copy of 'Who Can I Blame for Everything Wrong in My Life?' and its best selling sequel, 'Everyone Who Won't Let Me do What I Want to do is Evil!'

Expand on that, it looks great. More please.

 

[madmaxmedia]

basing this sort of hack on a vulnerability seems silly, now its in the open apple will do their best to patch the vulnerability as a vulnerability which will close that door on the jailbreak, and frankly im glad. as a user with no hacks, i want the security vulnerability patched.

You statement is illogical, in that ANY sort of Jailbreak hack will be regarded as a vulnerability by Apple, and will be patched. Apple will likely always patch against jailbreak methods because jailbreaking aids in the unlocking process.

As a user with no hacks, this publicity means Apple is now aware of the vulnerability and will patch it sooner than later.

For users desiring to hack 1.1.1, they will soon be able to Jailbreak and later can decide whether to install future updates. Everybody wins.

 

[psxndc]

What I think is interesting is that this is bringing the firmware hacking communities more into the mainstream consciousness. The PSP has a HUGE custom firmware scene, but since PSP's marketshare is kinda low, few outside the PSP community know about it. Similarly, the xbox modding scene is pretty unknown to those that don't own Xboxes.

Here, tons of people seem to be installing jailbreak, etc. on a media darling device, thereby upping the general exposure of people hacking devices beyond their original application.

I wonder how public the back and forth between the dev team and Apple will become.

-p-

 

[EagerDragon]

I remember reading other iPhone threads and there have been several posts that said that if you're not happy w/ the iPhone or how Apple handles it, get a different phone. That's a little BS b/c what if there's no phone out there you ARE happy with? I can understand these companies will want to do something a specific way, but it is we, the consumers, who should drive what features an item has, not necesarily the companies. Sure, some people want unrealistic things, but many things (like an NES emulator, IM app, etc.) are all very possible. So Apple & all companies should be more attentive to what people want and give them it.

Comsumers vote with their wallet, those that whine should have some cheeze.

If the iPhone is not what you want, send Apple a letter, even better, get all your friends to write to them also. Mean time you and your friends don't buy the iPhone.

Locked phones have been around the US for many years, why is not not illigal, unfair, etc, for other phones but for the iPhone is like they killed the family bacause you spit on the sidewalk.

It's a great phone, but lets be fair here.

 

[madmaxmedia]

Okay, this is a good first step. Like people have said, though, Apple will patch this. Still, 1.1.1 is siezed. Can they now install decryption on it and find the appropriate keys? That would be my next step, although I don't know anything about hacking computer software

-Clive

Well, they would probably just change the key, even if you could get it from the opened up 1.1.1 OS. As well as hide it in a different way in the update.

And from what I have read, for all practical purposes you cannot brute force the key (takes a billion years or whatever.)

There are a couple of positives even if Apple patches the OS-

1. All this talk about hacking and unlocking and bricking leads to negative PR for Apple (undeserved or not). Adding more Apple apps, or establishing a 3rd party development system, would significantly decrease the amount of effort to jailbreak future OS updates. Most users and developers would be content to go with the Apple-provided solution, even if it's not quite as open.

2. In order to get as much of the user base to update as possible, Apple will likely include little carrots (i.e. new features) with each update. I know they were planning to anyway, but hopefully this will accelerate the timetable.

 

[EagerDragon]

I would have to assume that Apple is also aware of this security issue and is probably working to fix it. Which means we should probably expect another iPhone update within the near future to patch this security hole.

Agree, but images have been the bane of many web browsers for years. Not a single browser performs proper data validation of images. I expect a few more hacks like this. It is costly (CPU and time) to perform a proper data validation of a complex file such as images. MS has the problem (over and over), Linux does, Apple does, and Netscape does, hell even Sun does.

Nobody I know does full and proper data validation of complex objects. The encryption was a good first step, now they have to turn on memory protection and stop running everything as root.

 

[madmaxmedia]

So...choose...be happy with what they are offering which is good but not quite yet everything you want it to be...or go with another phone which you've already said isn't what you want either...or...wait.

Patience...is a virtue.

I would amend that to say 'Buy it if you want, and hack it if you want, but accept that you are doing it on Apple's terms.' You know that future updates may tighten security or brick unlocked phones, so it's not Apple's fault if that happens.

No one's going to tell me what I 'should' or 'should not' do with my property (as long as it's not breaking any laws), but I accept the consequences of my actions.

 

[Fast Shadow]

Why is it any of your business or concern what people do with the things they buy themselves?

I'd also like to point out (for the "OMG illegal hax" crowd) that Apple doesn't make you sign a contract when you buy an iPhone in a store. You hand over cash and you get a box - on planet Earth, we call that a sale. Additional terms imposed on the purchaser after the conclusion of the sale are essentially unenforceable. That's right, kids: most EULAs are unenforceable in non-UCITA states. Look it up.

Please don't use facts and big words on the iBots, you'll overheat them.

 

[farmboy]

a word about numbers...

Actually, if you look at the stats on that poll:
31% Installed Apps
29% Didn't install apps
40% Don't own an iphone

That would mean that 50% of the respondees, who had iphones, had installed 3rd party applications... It would be as unfair to extrapolate these stats up to the entire iphone user base (as macpolls readers may be biased), but your argument is bs.

Between the apptap/installer download stats and this survey, it's probably fair to suggest that 5-10% of iphone users may have used some 3rd party applications. That's a few more than "5000" users and quite a feat, when you consider the process involves hacking... You would have to be pretty blinkered to presume that the only people this appeals to are hackers and geeks.
J

His argument is bs but your's, using pure guesses as to numbers, isn't? In one sentence you use "probably fair", "suggests", "may"; not exactly a definitive number. Plus you can't add numbers from different sources for a total, because you don't have any idea at all how many duplicate responses there are. In the only actual poll (methodology aside) "5000" is 0.05%--so yes it appears to only appeal to hackers and geeks AT THIS POINT, not mainstream users.

 

[madmaxmedia]

That's exactly the point - most of us DON'T CARE what you do with your phone.
Just don't come back and complain about the potential damages YOUR actions have created. Deal?

Why assume that everyone who wants to jailbreak their iPhone or Touch is going to whine about future Apple updates?

And Apple updates have not bricked any jailbroken iPhones (meaning capable of adding 3rd-party apps), they've only bricked unlocked iPhones. 2 totally separate topics, from both technical and business perspective.

 

[EagerDragon]

Ive got 2 brand spanking untouched iphones, I believe both v1.02, which Ive been holding off jailbreaking/unlocking for some weeks now. Im in the UK and do not want an O2 contract. With Leopard just around the corner, Im wondering what to do - as when I upgrade (on the day its released) I will no longer have the necessary version of itunes installed (v7.4.1) (although I do have an old PC Id prefer to not have to PC sync)
Its 1 thing to not update the iphone, but to be unable to sync it or even upgrade my mac to leopard is another.

Sell them, you can buy the new version later when it is officialy unlocked.