Code that allows Apple customers to circumvent that company’s exclusive content protection features was released on Wednesday, with security researchers warning that the hack could be impossible for Apple to fix on devices that have already been manufactured.

The Chronic Development Team, a group of hackers who specialize in mobile devices, released firmware on Wednesday that allows iPhone, iPad and iTouch users to “jailbreak” their devices. The announcement, distributed on Twitter by a Chronic team member who uses the online handle pod2g, came within hours of Apple publishing the much anticipated update to iOS, version 4.1. Apple has not yet responded to requests for comment on the jailbreak code.

Security experts still know little about the underlying exploit used to jailbreak the devices, beyond claims from the group that it is located in the boot ROM – low level code that is run immediately by the device’s processor when it is powered on, and that loads the firmware (or operating system) that manages the device.  Because it runs below the level of the operating system and is integrated with the hardware used by the device, boot ROM exploits cannot be patched through traditional software updates after devices have been manufactured.

Device owners force their devices into recovery mode and can then use
an application running on a Apple Mac or PC to load the modified firmware, thereby “jail breaking” the phone. Such exploits are called “tethered,”
because the mobile device must be connected to another device to trigger
the exploit. Exploits like that used in the recent jailbreakme application for iPhones are “untethered” because they can be accessed and run by users with nothing more than their mobile device.

Hacking groups the Chronic Development Team and the iPhone Development Team have long been interested in finding ways to “jailbreak” Apple devices – bypassing features that limit the functionality and types of applications and media the devices can run. Hackers have focused on boot ROM before. An earlier exploit affecting iPhone 3G and 3GS devices also targeted the boot ROM, forcing Apple to update the ROM to patch the earlier exploit, dubbed “24kpwn.” By that time, however, hackers had refined the raw exploit, creating easy-to-use tools like blackra1n and PwnageTool that allowed non-technical users to free their devices.

Boot ROM vulnerabilities aren’t much different from other kinds of software bugs, but they are invisible to standard software scanning tools and require a separate process of penetration testing to discover and fix, said Chris Wysopal, the Chief Technology Officer at software testing firm Veracode.

The attention of hackers on such low level exploits may be the result of better protections and security feature within iOS itself, and a desire for any exploit to survive Apple’s frequent and automated OS updates, Wysopal said.

With no way to patch existing devices, the Apple would have to settle for fixing the flaw with an updated boot ROM in newly manufactured  phones. Its also possible that Apple engineers will discover a way to patch the exploit in software, Wysopal said.

Recent changes to the Digital Millennium Copyright Act allow users to “jailbreak” devices from copyright protections that vendors like Apple and Microsoft that make the devices and the software that runs them. But Apple has said that it reserves the right to cut off devices that are jailbroken from access to resources like the AppStore and has not ruled out disabling such devices.

Categories: Vulnerabilities