It wasn’t long ago – just a month in fact – that Apple’s iOS mobile operating system was being called the ‘Most secure’ OS. Period.’ A few weeks later, and the security of that OS has fallen (again) to the talents of Comex, an as-yet-unnamed mobile device hacker whose work is attracting kudos from some of the world’s top hackers, vulnerability researchers and exploit writers.
Jailbreakme 3.0 was released on Tuesday allowing even casual users to disable content protections that limit the kinds of applications and features that can run on Apple iOS devices including the iPad, iPhone and iPod Touch. The new JailbreakMe tool circumvents advanced security features that were added with iOS Version 4.3 in March.
The update, which leverages a flaw in the way Apple’s Mobile Safari Web browser loads PDF (portable document format) files, was available from the JailbreakMe Web site on Wednesday, allowing iOS users to jailbreak their device simply by visiting the page – a so-called “untethered jailbreak” because the devices did not need to be connected to a computer first in order to jail broken.
In order to defeat the new protections built into iOS, the author, who uses the handle “Comex” discovered a vulnerability within iOS that allowed him to circumvent two features designed to prevent hackers from undermining the security of devices: Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
Similar to features in modern operating systems like Windows and OS X, ASLR randomizes the location of key components in the memory address spaced used by active processes. That makes it much harder for attackers to locate elements such as the executable, libraries and memory stacks and heaps that are necessary to run custom or malicious code. Data Execution Prevention is another feature that prevents unauthorized code from running – for example, by blocking buffer overflows that are used to load and execute attack code.
The exploit is the first known to defeat and circumvent both ASLR and DEP in iOS said Charlie Miller, a principal research consultant at Accuvant Labs and the winner of the 2011 Pwn2Own contest with an exploit of Apple’s iPhone 4.
“iOS is pretty secure – arguably the most secure mobile operating system. So you’ve got to wonder ‘how did this dude totally circumvent it?'” Miller wondered in a phone interview with Threatpost.
The answer, he said, is with a rare and novel vulnerability that allowed Comex to determine where critical components needed to defeat iOS’s content protection features were loaded in memory on the device.
Comex did not respond to e-mail requests for an interview from Threatpost.com.
“ASLR and DEP are about making things hard. They make a lot of bugs useless. But (Comex) found a really special bug,” he said.
Miller said the availability of the jailbreak doesn’t mean that iOS’s security is broken, however.
“It’s still very secure operating system. It still has a lot of security in place,” he said. However, the hole discovered by Comex could be used maliciously if it fell into the wrong hands. To address that possibility, Comex has issued his own patch for the hole,which can be applied after the phones are jail broken. Previous jailbreaks haven’t led to malicious programs, but that doesn’t mean such a leap is impossible. Quite the contrary.
“It would be very easy to change his code to be malicious,” Miller told Threatpost. “If you’re worried about that, you should download (Comex’s) patch and apply it.
In the absence of a similar patch from Apple, that means that jailbroken iOS devices are actually better protected than non-jailbroken phones, at least for the time being, according to Miller.
In the meantime, Miller and others took to Twitter to offer congratulations to the iPhone Dev Team and, especially, Comex for his work. The master mobile device hacker has more than 166,000 followers on Twitter and is believed to be 18 years old and a student. He used the JailbreakMe.com Web page to solicit donations to help pay his way through Brown University and internships for the Summer – facts that were met with laughter by Miller.
“Internship? I’d hire him today,” he said. “Go to college and we’ll pay you to work for us in the Summer – or just keep working for us during the year,” he said. “He’s broken all the security that Apple has.”
Indeed, companies and universities are struggling with a shortage of talent in areas like mobile device security.
Comex’s talent lies both in finding vulnerabilities and in creating exploits for them, Miller said. A talent for either is rare enough. But few people are good at both.
“Bug finding is about looking for the needle in the haystack. You’ve got tons of code – can you find the weird little use cases that nobody checked. You’re fuzzing and then reverse engineering. But exploit writing is about understanding the operating system: how things fit together. How the memory manager works and how to fit things into the system without making everything fall apart. It doesn’t matter if you have a bunch of bugs. You still have to get the code right.”
And, with a user population as large as that for iPhone, untethered exploits have to work perfectly to avoid raising the ire of the iPhone and iPad masses, he said.
And, while users warned that the initial JailbreakMe 3 might suffer from stability problems initially, Miller walked away impressed. “Even the browser doesn’t crash,” he said. “You can surf to the (jailbreakme.com) page, jailbreak the phone and still use the browser!”