Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iOS4 Jailbreak Method Brings Security Concerns

Battlefield Fan said:
Norton Internet Security for your iPhone. Coming soon...
Click to expand...

If I wanted unreasonable slowdowns and crashes on my 3G, I'd install iOS 4, thanks.

kas23 said:
Looks like you need to RTFA too. The current Safari App is how Apple intended it. Only problem is that it has security hole any non-JBing person can accidently fall into.
Click to expand...
Well, having a security hole is not how Apple intended it... but yeah, the method that the Jailbreak uses is not supplied by the jailbreak, but in the code from Apple.

chim9999 said:
i must be missing something. can someone point me to the article that says it could harm a non-jb'd phone?

appreciate it!
Click to expand...
No article, but the fact is, this is being done simply by visiting a website on an iThing. Which means that there is a problem with Safari somewhere allowing programs to install themselves via the web which should not be happening.

BigJoe2000 said:
Actually, It's more akin to changing the locks on your car and still expecting the manufacturer to fix the engine if it breaks.
Click to expand...

Bad example. That would be more akin to apple saying "Voided Warranty" because of a new case.

Software can have a huge impact on the health of hardware.

Google "nVidia 196.75 Driver" if you don't believe me.

BayouMan said:
Take it up with Apple? Yeah. That's gonna get you "you were told not to do that."
Click to expand...

Learn to read, please.
 
Known Security Holes Still Not Fixed

iRobertM said:
Who's code to trust here, Apples or hackers.... Choice is clear, Apple! ;)
Click to expand...

The code in Apples OS allows this kind of software. So if you trust Apple, then you trust someone, who allows security holes. And such security holes are not new. They are predictable-in most of the cases with specialized software tools which scan the source code for security risks.
 
Just having a look at the JavaScript source of the jailbreak method, and the _getSunspiderInterval is one obscure function. It always returns 84 in FireFox, 11 or 12 in Safari and between 15 and 24 on Google Chrome. I assume it is a benchmark function derived from webkit's sunspider test to determine the speed of the processor in the device and hence a way to identify the device model. A lower number (milliseconds) means a faster cpu and it can be used to identify hardware model as well as ARM cpu version (6 or 7).

What's also interesting is that he does the following:

Code: 
        var ssi = getSunSpiderInterval();
        window.location = "#" + ssi;
        if (ssi > 1625) {
            model = "iPod1,1"
        } else {
            if (ssi >= (firmware.indexOf("4.0") != -1 ? 800 : 1000)) {
                model = "iPod2,1"
            } else {
                model = "iPod3,1"
            }
        }

So, the higher the number, the slower the device. But, interpreting this code, the assumption is made that iOS 4.0 actually is a speed improvement over previous versions.

The actual exploit seems to lie in the pdf/image viewer, as after the identification of the device has been performed, a pdf is referenced based on firmware and device model ( for example http://www.jailbreakme.com/_/iPhone2,1_4.0.pdf ) which is then dynamically instantiated as an Image:

Code: 
function get_page() {
    return model == null ? null : ("/_/" + model + "_" + firmware + ".pdf")
}
window.page = get_page();
...
if (window.page != null) {
    _ = new Image(window.page)
}

Where it is later (in the jailbreak_real function) dynamically inserted as a hidden iFrame (z-index -9999):

Code: 
    var a = document.createElement("iframe");
    a.setAttribute("src", page);
    ...
    document.body.appendChild(a);

The rest of the functions seem to handle look and feel of the page, keep the page scrolled to its topmost position and handle orientation so you will not be able to scroll down or see the actual iFrame which is dynamically inserted.

So, it seems like a pdf/image viewer exploit to me?
 
longofest said:
Do you know that for a fact? Because it sure doesn't look like it. That exploit is regarding cascading filters on streams, not streams themselves. The PDF code you posted doesn't have any filters defined.

EDIT... i'm even more convinced that he's exploiting typeservices now that I looked at the pdf's.
Click to expand...

According to a posting at slashdot.org:
"Yes it is. Just staring at some hexdumps, it's not a hole in the browser, it is a hole in PDF Type1C font loading. Escalates to kernel space via an IOSurface allocation bug. A malicious PDF (think iBooks...) could do far nastier things..."
 
wol said:
According to a posting at slashdot.org:
"Yes it is. Just staring at some hexdumps, it's not a hole in the browser, it is a hole in PDF Type1C font loading. Escalates to kernel space via an IOSurface allocation bug. A malicious PDF (think iBooks...) could do far nastier things..."
Click to expand...

In the hexdumps of the pdf (I am looking at the iPhone2,1_4.0.pdf) you indeed see the following:

Code: 
<<
/Subtype/Type1C
/Filter[/FlateDecode]
/Length 10706
>>
stream
......... (10706 bytes of binary code) .......
endstream
endobj
15

The Type1C binary stream takes up almost the complete PDF (10706 bytes at offset 1112 out of 13283 bytes), so that must be the exploit and the code it is executing...
 
To me the community is better served by him reporting the bug and not by exploiting it so people can jail break their phones.

I don't care if people want to jail break their phones. I do care that one of the guy's making it possible for people has such misaligned priorities.
 
longofest said:
True, but exploits from the web, where you can just surf to a page and get hit by it ("zero-day" exploits) are a bit more serious.
Click to expand...

It's not any different with your desktop you know? you still have to visit the particular site handling this exploit. I assume you don't go visiting random sites blantantly without taking any precautions. Same goes for your iPhone don't visit sites you don't trust if you happen to come across one anyway just restore it and don't go there again geez....
 
So we've confirmed that it's exploiting font loading. This becomes a bigger deal though if apple had already patched this in MacOS and then reintroduced it (or never patched it) in iOS. See the sophos link I posted earlier.

EDIT: Security Update 2010-003 fixed this (or a very related issue) for MacOS in June.
 
badpenguin said:
What I find interesting is that people who jailbreak have absolutely no idea whatsoever what they are actually installing on their devices when they install packages from 3rd party repositories. If apple doesn't even have an automated app vetting process that will detect tethering apps hidden within flashlight apps, I highly doubt Saurik is vetting apps from repositories people are adding via Cydia.
Click to expand...

And who is vetting the software that you install on your Mac or PC?

Come on. Most of the software in this world has not been approved by Apple and still everyone's alive and kicking. The reason why Apple desires full control over the iPhone's software biotope is not your security but the money they're pulling down with every app they sell.
 
Update to story

More technical details have emerged regarding the security hole that is being exploited in order for the jailbreak to be performed. The remote website presents a PDF that has a specifically crafted font embedded, and it is the processing of the embedded font that has the security issue. Interestingly, Apple had fixed a very similar issue in MacOS with Security Update 2010-003.
 
jamesryanbell said:
Just use the product as Apple intended it.

No one's impressed.
Click to expand...

You know... at first I agreed with this standpoint. For months I've heard chatter about jailbreaking and just thought it was silly or unnecessary. Then I learned that AT&T wants to charge people extra to tether. Funny how they forced me to put an UNLIMITED data plan on my phone, then put up various road blocks to actually using it. Then, I learned that Apple blocks apps that AT&T doesn't deem appropriate and/or too bandwidth intensive. Not cool, why should Apple cow to AT&T's lame limitations, when those restrictions only exists with AT&T and not other carriers anywhere else in the world? It is MY phone, right?

Now don't get me wrong... I've actually never jailbroken my phone. But I see the reasons why people would want to -- both good AND bad. I know longer see it as silly or unnecessary, instead more looking at it like a necessary evil in some respects, and a power user move in others.

Cydia is probably going to make a ZILLION dollars on adult-oriented apps, and things that Apple has tossed aside. While they have their "user experience" code to standby, their also tossing aside profits. When Cydia releases financial numbers, and they will someday, who wants to be how fast an Apple shareholders' lawsuit springs up?
 
I don't mind the JB community and have also done it as well. I don't use it anymore because I don't have a need for it. However I do have issue with a web-based JB. Like others have said, this shows a vulnerability on mobile safari that the bad guys could/will use. No I don't think the JB devs who give us the programs to JB with are bad guys at all.

If they had to rush this because they knew it worked on this mobile safari security hole before Apple patched it, fine. Perhaps the pwnage iPhone 4 JB is harder than it we know. I really hope that Apple closes this bug quickly. To the Dev Team: You know there is already a working process once you get into the system. Now release the pwnage tool. Keep it up guys.
 
longofest said:
So, here's where I sit on this (example):

I have a Mac with Microsoft Office installed. One day it stops working. I take it to Apple, and they say it's a bad logic board, but they say "oh, we notice you installed Microsoft Office. We only cover the machine as long as it runs our software or software we specifically approve, so we can't cover this repair".

Obviously that's ridiculous. The 3rd party software did not cause the logic board to go bad in this case. The same can be said to a certain degree with jailbreaking.
Click to expand...

Apple hasn't given any grief to jail breakers for this type of problem. As far as I know, they have even wiped iPhones and restored to factory defaults that had been jailbroken. As with everything, it is about balancing the risks and responsibilities. Apple doesn't want you to jailbreak, but they can't claim that it caused your battery to catch fire...
 
jav6454 said:
There is always a security concern when jailbreakers use an specific exploit. That is how this is played.
Click to expand...

True. But there's a fairly significant difference between an exploit only exploitable by a computer attached to the iPhone by the USB cable and one that exploitable merely by visiting a web site suing it.
 
rmatthewware said:
Okay, it's legal to jailbrake, sure. But it seems the US is the only place where people expect to be able to break the rules and still be protected by the manufacturer. I want to jailbreak the phone and still have Apple take care of me. I'm talking about jailbreaking in general here, not this specific incident. It's not about being controlled, it's about demanding imaginary freedoms.

This is like buying a car, taking out the engine, tires, brakes, transmission; replacing those with after market parts; then getting mad at the car manufacturer when things go wrong.

You jailbrake your phone, you're taking your chances. And yeah, just as the car manufacturer shouldn't honor their warranty, Apple shouldn't honor theirs if you do this.
Click to expand...


The comparison is hilarious. It is not the engine, tires, ... are getting replaced. Only the OS is being modified (hacked, if you want). Apple's stand seems to be more akin to a car manufacturer insisting what type of air freshener you should use inside the car, that you can only fill in petrol/gas from the approved list of dealers (who pay % of the revenue to the manufacturer!), warranty is void if you stick your favourite team's sticker on the car body, ....

And what happened to the legendary "I cannot catch viruses/spyware" position of Apple? Did it disappear with the release of iOS/iPhone OS?
 
ViViDboarder said:
The reason is that this doesn't require a computer. You could just think you're clicking a link that says "Happy Cat is Happy!!!" and it runs the exploit, extracts all your data and installs a trojan.

The other exploits generally require a computer that hacks firmware and executes the exploit and injects the code. It's far less likely that someone is going to write a malicious application that you have to download to your computer, somehow talk you into putting your phone into DFU mode and plugging it in, and then clicking run to take advantage of the exploit. :D
Click to expand...

I can't believe you actually said that. The fact of the matter is that you don't know what is in the code.

It's pure ignorance to postulate that exhibit A of unknown code is somehow superior to exhibit B of unknown code simply because of the way it's packaged.

Just because you've grown comfortable w/past releases of code breaking software (created by someone who has absolutely no stake in the liability of their product) doesn't mean that you won't be taken advantage of in the future.
 
I've gone back and forth on jailbreaking my various iPhones over time.

Some installed settings and apps have led to instability on mine, some have been incredibly awesome (think LockScreenInfo and MyWi)

I think this whole debate would be solved if Apple had a tickbox, maybe in iTunes, that enabled "Advanced usage" or the like - with a clear disclaimer saying "Apple is not responsible for support blah blah blah"

This is the clearest distinction for me between Android phones and iPhones. The vast majority of consumers couldn't care less about "open OS'es" and the like, but having a simple switch to enable that "open usage" would solve all these arguments.

My 2c :rolleyes:
 
robwormald said:
I think this whole debate would be solved if Apple had a tickbox, maybe in iTunes, that enabled "Advanced usage" or the like - with a clear disclaimer saying "Apple is not responsible for support blah blah blah"
Click to expand...

For some types of apps, there actually is such a switch. It's called an iPhone developer certificate. Buy it from Apple's web site for only $99. Install any app on your iDevice for which you have source code or can write. And that actually includes 2 paid support tickets for SDK developer questions.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back