A website that makes it child’s play for iPad and iPhone owners to jailbreak their devices raises important security concerns.
The site, jailbreakme.com, exploits an iOS vulnerability to run unauthorised code on Apple customers’ iPhones and iPads, including the new iPad 2. In this way they allow users to unlock their devices, and run programs that have not been approved by the official AppStore.
Usually jailbreaking requires users to connect their device to a computer before they can start to tamper with the set-up of their iPhone or iPad and gain access to the Cydia underground app store.
Sites like JailBreakMe make the process much simpler.
But if visiting the JailBreakMe website with Safari can cause a security vulnerability to run the site’s code, just imagine how someone with more nefarious intentions could also abuse the vulnerability to install maliciouscode on your iPad or iPhone.
If they exploited the same vulnerability in a copy-cat manoeuvre, cybercriminals could create booby-trapped webpages that could – if visited by an unsuspecting iPhone, iPod Touch or iPad owner – run code on visiting devices.
A website like JailBreakMe is making it easy to jailbreak your iPhone or iPad – but it could also be said to be giving a blueprint to malicious hackers on how to infect such devices with malware.
I don’t want to be a party pooper for those who wish to jailbreak their Apple devices, but it’s essential that Apple closes this vulnerability as quickly as possible.. before it is abused with malicious intent.
Interestingly, “Comex”, the creator of the JailBreakMe website seems to recognise that hackers might copy the exploit to use in the form of an iPad or iPhone virus. However, he attempts to deflect any responsibility in his FAQ:
"I did not create the vulnerabilities, only discover them. Releasing an exploit demonstrates the flaw, making it easier for others to use it for malice, but they have long been present and exploitable. Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run."
Apple will be furious that this vulnerability has been made public in this way, and that they have not yet got an official patch to protect their millions of users.
Sophos’s experts have added detection of the exploit code as Troj/PDFEx-ES, but as Apple does not allow anti-virus software to be listed in the official iPhone AppStore there is no on-device protection available for users.
This isn’t the first time that JailBreakMe has made it simple to jailbreak your iPhone, and taken advantage of a vulnerability to run their code. Something similar happened last year and forced Apple to issue a security patch.
All eyes now turn to Apple to see how quickly it can secure its users from this new potential vector for iPhone/iPad malware infection. Leaving a security hole like this open is simply inviting malicious hackers to exploit it.
by Graham Cluley on July 6, 2011