iOS4 Jailbreak Method Brings Security Concerns

[Blorzoga]

There is an entire economy of scumbag hacker out there whose sole intent is to steal from others. They write viruses that extort virus repair software, they try to sell male enhancement pills, they pretend to be your bank or the IRS, and it's only a matter of time before they start attacking Apple devices. Hackers cannot be trusted to make a JB website that is only for the good of iphone users. They're all a bunch of lowlifes.

 

[Torrijos]

why not?

Well for starters lets say you jailbreak one of your devices and you use it as a wifi station, running its wifi chip hotter than usual.

You don't know how Apple decided for the layout of the chips, or how they calculated heat was going to be dissipated... Conclusion one part overheats and your device is toast (or blows ^^).

That failure would be a direct result of the user using the device in a way not intended by the people building it, but still we all know that you would end-up going to a store to get it changed, because people are so good with taking responsibility these days.
(In an old episode of AOTS Kevin Peirerra jokingly told that he drop his iPhone in a pool and still tried to get it changed, only to have the guy at the store seeing all the humidity indicators activated and still water inside the phone ^^)

 

[LEStudios]

Now they want to talk security?

This proves that Library of Congress are a bunch of morons! They didn't think about the security issues!

 

[Warbrain]

This proves that Library of Congress are a bunch of morons! They didn't think about the security issues!

They didn't prevent Apple from closing the holes. Jesus, understand the ruling before crying.

 

[tab47]

Think Different?

Apple has a rule about Jailbreaking ..... DONT DO IT!! it's really simple, don't break Apple rules.

It's kinda funny that your sig is "Apple! - Think Different" when you are telling everyone to not break rules. As I remember, the ad campaign was all about those who did break the rules.

"Here’s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently. They’re not fond of rules. And they have no respect for the status quo..."

 

[rwilliams]

What do you expect to happen when you break Apple rules. The only reason I would see to jailbreak in the USA (since I live here) is to do FACETIME chats over 3G and to tether. I could care less about both. Jailbreaking has no other real killer feature, Apple has eliminated the need for inane people to jailbreak, which is a childish and pointless act atm

Um, this exploit is present in all non-jailbroken iPhones and iPod Touch devices.

 

[carmenodie]

This is big news and I guarantee you Apple is on it.

 

[rwilliams]

This proves that Library of Congress are a bunch of morons! They didn't think about the security issues!

Please tell us what the hell this has to do with a security hole that Apple left in their operating system.

 

[severe]

It's kinda funny that your sig is "Apple! - Think Different" when you are telling everyone to not break rules. As I remember, the ad campaign was all about those who did break the rules.

"Here’s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently. They’re not fond of rules. And they have no respect for the status quo..."

'sup, N00b?

 

[Aleco]

It is a PDF Vulnerability, and it's called a PDF Bomb.

%PDF-1.3
%ƒÂÚÂÎßۆ–ƒ∆
[B]4 0 obj
<< /Length 631 >>
stream
q Q q 18 750 576 24 re W n /Cs1 cs 0 0 0 sc q 1 0 0 -1 0 0 cm BT 0.0003 Tc
7 0 0 -7 534.7051 -768 Tm /F2.0 1 Tf [ (4/15/10 8:01 P) 1 (M) ] TJ ET Q q
1 0 0 -1 0 0 cm BT 7 0 0 -7 18 -768 Tm /F2.0 1 Tf [ (d) -0.4 (a) -0.2 (ta)
-0.2 (:) -0.4 (te) -0.1 (x) -0.3 (t/) -0.4 (h) 0.4 (tm) 0.4 (l) -0.1 (,) -0.4
( ) ] TJ ET Q Q q 18 40 576 24 re W n /Cs1 cs 0 0 0 sc q 1 0 0 -1 0 0 cm BT
-0.0003 Tc 7 0 0 -7 555.6299 -43 Tm /F2.0 1 Tf [ (Pa) -1 (ge ) -1 (1) -1 ( )
-1 (o) -1 (f ) -1 (1) ] TJ ET Q Q q 18 190 576 560 re W n /Cs1 cs 1 1 1 sc
18 190 576 560 re f 0 0 0 sc q 0.8 0 0 -0.8 18 750 cm BT 16 0 0 -16 8 22 Tm
/F2.0 1 Tf ( ) Tj ET Q Q
endstream[/B]

It's using the Stream exploit found by Didier Stevens (http://blog.didierstevens.com/2008/05/19/pdf-stream-objects/).

 

[ViViDboarder]

What do you expect to happen when you break Apple rules. The only reason I would see to jailbreak in the USA (since I live here) is to do FACETIME chats over 3G and to tether. I could care less about both. Jailbreaking has no other real killer feature, Apple has eliminated the need for inane people to jailbreak, which is a childish and pointless act atm

Yea... First, already been said, but this exploit is on ALL iPhones.

Second... There's way more reasons to jailbreak than FaceTime over 3G and Tethering. I wouldn't use an iPhone without LockInfo, SBsettings and MobileTerminal to name a few. What if you're a developer and you want to make apps for your own personal use? I didn't feel like paying Apple $99/year just to install MY OWN CODE on MY OWN PHONE. So I jailbreak.

Okay, it's legal to jailbrake, sure. But it seems the US is the only place where people expect to be able to break the rules and still be protected by the manufacturer. I want to jailbreak the phone and still have Apple take care of me. I'm talking about jailbreaking in general here, not this specific incident. It's not about being controlled, it's about demanding imaginary freedoms.

This is like buying a car, taking out the engine, tires, brakes, transmission; replacing those with after market parts; then getting mad at the car manufacturer when things go wrong.

You jailbrake your phone, you're taking your chances. And yeah, just as the car manufacturer shouldn't honor their warranty, Apple shouldn't honor theirs if you do this.

Not like that at all. Nobody is jailbreaking their phone and then coming to Apple saying SBSettings isn't working!!! They come here to MacRumors and other people help them. If they have legitimate issues they restore their phones to stock Apple firmware and if the issues are still there they get Apple to check it out. It's not like we are ripping out our phones and soldering in new memory chips and bringing them into Apple. Software != Hardware

It's kinda funny that your sig is "Apple! - Think Different" when you are telling everyone to not break rules. As I remember, the ad campaign was all about those who did break the rules.

"Here’s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently. They’re not fond of rules. And they have no respect for the status quo..."

I lold

 

[chim9999]

i must be missing something. can someone point me to the article that says it could harm a non-jb'd phone?

appreciate it!

 

[MH01]

Okay, it's legal to jailbrake, sure. But it seems the US is the only place where people expect to be able to break the rules and still be protected by the manufacturer. I want to jailbreak the phone and still have Apple take care of me. I'm talking about jailbreaking in general here, not this specific incident. It's not about being controlled, it's about demanding imaginary freedoms.

This is like buying a car, taking out the engine, tires, brakes, transmission; replacing those with after market parts; then getting mad at the car manufacturer when things go wrong.

You jailbrake your phone, you're taking your chances. And yeah, just as the car manufacturer shouldn't honor their warranty, Apple shouldn't honor theirs if you do this.

its actually like removing a speed restriction imposed by the manufacturer (like japanese made cars that are restricted to 180). This is a software hack, not hardware. And frankly jailbreaking does not damage the hardware, if something goes wrong with the phone, restore and get it fixed.

 

[gopherhockey]

If every security hole Microsoft had generated this much discussion this forum would be so full of posts and threads it would become useless.

Interesting just how much attention Apple gets these days. (even Android for that matter, with their little screen saver snafu last week)

Just sayin'

 

[Reed Rothchild]

There is always a security concern when jailbreakers use an specific exploit. That is how this is played.

Precisely. Jailbreaking is inherently reliant on security holes. Though this current exploit seems on the surface to be more open to abuse, any of the previous jailbreak exploits could also have done serious harm to your phone if wrapped up in a similarly benign package. Not sure why this one is particularly newsworthy.

 

[rwilliams]

i must be missing something. can someone point me to the article that says it could harm a non-jb'd phone?

How do you think the jailbreak was able to work in the first place? It used a vulnerability found in non-jailbroken phones. So if comex's code could execute on your non-jailbroken phone, there's no reason that a malicious hacker's code couldn't do the same using the exact same vulnerability.

 

[ViViDboarder]

If every security hole Microsoft had generated this much discussion this forum would be so full of posts and threads it would become useless.

Interesting just how much attention Apple gets these days. (even Android for that matter, with their little screen saver snafu last week)

Just sayin'

Popular platforms are always the targets of exploits. The rise in popularity of the iPhone and Android are exactly why these exploits make such big news. Also it scares people that they have so much personal info on their smartphones these days that might be vulnerable to some nefarious hacker.

 

[NakedPaulToast]

Apple will most likely have a fix, perhaps as soon as 4.1.

But what about 3G owners who's devices simply won't run iOS 4.x. You remember those guys, a lot of them upgraded to 4.0 and they were called idiots because they should have known that iOS 4.0 would perform poorly on their "obsolete" device.

So they now they have the choice use an insecure device, or an intolerably slow device.

But, they better not complain, not here anyway. Because then they'll get shouted down, being told to upgrade, and Apple shouldn't have to support legacy devices.

Completely, neglecting the fact that this "legacy" was the the only Apple phone one could buy about 13 months ago, and still being sold new by Apple up to about a month ago. Upgrading is also not a realistic option because when many bought their new 3G device they were locked into a 2 or 3 year contract.

 

[ViViDboarder]

Precisely. Jailbreaking is inherently reliant on security holes. Though this current exploit seems on the surface to be more open to abuse, any of the previous jailbreak exploits could also have done serious harm to your phone if wrapped up in a similarly benign package. Not sure why this one is particularly newsworthy.

The reason is that this doesn't require a computer. You could just think you're clicking a link that says "Happy Cat is Happy!!!" and it runs the exploit, extracts all your data and installs a trojan.

The other exploits generally require a computer that hacks firmware and executes the exploit and injects the code. It's far less likely that someone is going to write a malicious application that you have to download to your computer, somehow talk you into putting your phone into DFU mode and plugging it in, and then clicking run to take advantage of the exploit.

 

[jordanh91]

Ugh.... I wish we could have nice things instead of having EVERYONE MAKE THE EXPLOIT A BIG DEAL. /rage



Seriously though. Stop talking about the exploit.

And no, I'm not trolling. I just want everyone to be able to jailbreak.

 

[carmenodie]

What I find foolish is the ones that are JBing their iphone with a hacker's code. How stupid do you have to be. I was on Engadget last night and there were so many folks saying they were downloading the latest JB code for the iphone. Not one said anything about being baited by cyber thieves. What a bunch of ******s.
The JB community is so happy right now but behind the closed door they haven't nary a clue as to who is REALLY behind this sh**. I can't wait until they get handed their a** on a silver platter. Meh!

 

[noxtos]

There's a fix for the PDF exploit, but of course only for jailbroken phones. Who said jailbreaking imposes sercurity risks?

http://www.funkyspacemonkey.com/fix-pdf-exploit-jailbreaking-jailbreakme

 

[ViViDboarder]

What I find foolish is the ones that are JBing their iphone with a hacker's code. How stupid do you have to be. I was on Engadget last night and there were so many folks saying they were downloading the latest JB code for the iphone. Not one said anything about being baited by cyber thieves. What a bunch of ******s.
The JB community is so happy right now but behind the closed door they haven't nary a clue as to who is REALLY behind this sh**. I can't wait until they get handed their a** on a silver platter. Meh!

Except that if this were going to be malicious so would all the jailbreaks. There are a group of trusted people who have been doing this for years. Nothing has happened so far. People would be skeptical if someone came out of the woodwork and released a "tool". I'd think we'd already be seeing the aftermath of the first jailbreak exploit being a virus if it was actually.

So really... Who's the ******? Someone choosing for themselves to run 3rd-party code on their phone that in no way effects any other user? Or you calling them stupid, foolish and wishing ill upon them?

EDIT: And one other thing... What does knowing who it was have anything to do with it? Name the developer who wrote Contacts for iOS4.

 

[Peace]

There's a fix for the PDF exploit, but of course only for jailbroken phones. Who said jailbreaking imposes sercurity risks?

http://www.funkyspacemonkey.com/fix-pdf-exploit-jailbreaking-jailbreakme

So there's another hackers code to fix the first hackers code.

Lovely.

 

[rwilliams]

There's a fix for the PDF exploit, but of course only for jailbroken phones. Who said jailbreaking imposes sercurity risks?

http://www.funkyspacemonkey.com/fix-pdf-exploit-jailbreaking-jailbreakme

Kinda funny that jailbroken phones will have the exploit closed before the non-jailbroken phones will.