Surprise iOS 7.1 jailbreak for most iPhones and iPads uses year-old flaw

Technique allows users to install unauthorized apps on wide range of devices.

Read the whole story

 

[shawnce]

If they are using a deployment certificate from an Apple enterprise developer account that certificate will likely be revoked by Apple in short order. They will also likely attempt to track down the creators of that account... likely they however grabbed some other companies legit certificate and private key.

 

[FoO]

The technique appeals to many users, but it also comes with significant risks. One is that the process could temporarily or possibly permanently damage the hardware.

The only permanent damage you can get from jailbreaking is if you decide to upgrade the baseband and botch it. However, there's been no need to update the baseband for the last couple generations of iPhones. The term 'brick' has been tossed around and misused, mostly by inexperienced tweakers who have no idea how to put their iOS devices in DFU mode to restore. I suppose it's fair to say for -them- their device /is/ bricked, however, with something less than 10 minutes of googling they could be back on the road to a working device.

 

[FoO]

shawnce[/url]":qtwp94tk]If they are using a deployment certificate from an Apple enterprise developer account that certificate will likely be revoked by Apple in short order. They will also likely attempt to track down the creators of that account... likely they however grabbed some other companies legit certificate and private key.

It's already an expired cert; one of the steps of the jailbreak is to actually disable NTP and set the date and clock back on your device before initiating the jailbreak.

 

[another ars account]

FoO[/url]":2dnxyo78]

shawnce[/url]":2dnxyo78]If they are using a deployment certificate from an Apple enterprise developer account that certificate will likely be revoked by Apple in short order. They will also likely attempt to track down the creators of that account... likely they however grabbed some other companies legit certificate and private key.

It's already an expired cert; one of the steps of the jailbreak is to actually disable NTP and set the date and clock back on your device before initiating the jailbreak.

Okay, this is starting to make more sense. So the reason an iOS update would be required is to patch out a class of vulnerabilities, rather than to just revoke a certificate. Which they presumably will do anyway.

 

[edwpang]

The process could temporarily or possibly permanently damage the hardware.

I began to jailbreak(forced) 3 years ago. At the time I bought an iPhone 3GS, and didn't know it was already jailbroken to unlock the phone. I upgraded to iOS 5, so the phone stopped working as it might be locked to AT&T, but the SIM card was Rogers. So I have to re-jailbreak to make it work, but I didn't do it correctly at first, thought the phone might have been damaged. But after online research, I made it work(tethered jailbreak at the time) and unlocked phone, it worked until last year, after I opened to fix a homescreen issue. Since, I jailbreaked iPad 1, iPhone 4S, iPad Mini, and re-jailbreaked iPhone4S with Pangu. Worst case was I have to do the homescreen and power button trick and connect to PC to make it work again. So please try it youself before you make such a statement.

 

[jdale]

FTR: if pangu team releases a public jailbreak with vulnerabilities disclosed to them during my training I consider this in no way okay.

...

So finally after 1.75 years of being known to me, having tought it to 50-70 students a “friend” takes the bug and sells a jb based on it.

I'm not even an iOS user, but in my opinion if he discovered an exploit and has sat on it for 1.75 years, I consider that in no way okay. The fact that he also shared it with other people makes it worse, even if it was only a small and supposedly trustworthy group. You cannot control a secret you've shared with 50 people, that's absurd. And any exploit you find is likely to be independently discovered as well, especially more than a year later.

 

[countcracula]

jdale[/url]":zktcytha]

FTR: if pangu team releases a public jailbreak with vulnerabilities disclosed to them during my training I consider this in no way okay.

...

So finally after 1.75 years of being known to me, having tought it to 50-70 students a “friend” takes the bug and sells a jb based on it.

I'm not even an iOS user, but in my opinion if he discovered an exploit and has sat on it for 1.75 years, I consider that in no way okay. The fact that he also shared it with other people makes it worse, even if it was only a small and supposedly trustworthy group. You cannot control a secret you've shared with 50 people, that's absurd. And any exploit you find is likely to be independently discovered as well, especially more than a year later.

I am not involved in the scene at all but have watched from the sidelines while all of the petty arguments are tossed around and drama is happening. Stefan Esser has been a part of pretty much all of it. So I share this sentiment. You can share a secret with three people when two are dead.

 

[fivemack]

FoO[/url]":3mip6y67]

shawnce[/url]":3mip6y67]If they are using a deployment certificate from an Apple enterprise developer account that certificate will likely be revoked by Apple in short order. They will also likely attempt to track down the creators of that account... likely they however grabbed some other companies legit certificate and private key.

It's already an expired cert; one of the steps of the jailbreak is to actually disable NTP and set the date and clock back on your device before initiating the jailbreak.

Why on Earth does a device on which it is useful to know the correct time, and which uses time-stamps for security, even allow you to disable NTP?

Presumably this will be fixed in the next point release.

 

[심돌산]

Wasn't it back in 1987 or so that the "reset the clock" method of getting around trial software restrictions stopped working?

 

[uhuznaa]

I've stopped jailbreaking my iPhone when all of the background around jailbreaks got murkier and murkier. Using a badly documented (or not documented at all) tool to install binaries from people without a name and no accountability is almost the opposite of something I could feel good about. The fact that a jailbreak actually has to disable many security measures (like code signing) is bad enough, but please give me an exact documentation of what the tool does and how it works and release the source code for it. Without that it's like just taking a handful of pills somebody gives you in a shady backstreet.

I like Open Source and open systems, but when I use closed source systems I prefer them to come from someone with an actual name and a reputation or just lots of money to risk. The jailbreak community and everything around it is (maybe necessarily) nothing like that. I never liked the secrecy around it and this has only gotten worse over the years.

I think Apple's approach to security by locking the thing down as far as possible is as valid as other (more open) approaches, even both are totally different. But THIS sits in an awkward point that seems to maximize the disadvantages of both ways.

 

[PandaCheese]

What's the legal status on "owning" an exploit? I know they are being sold, but is there any IP protection?

 

[P W]

only reason i jailbreak my ipad is for xbmc and emulators. its sorta dumb that apple blocks software functionality. shrug. reason some people jail break. wish apple would stop trying to block the jailbreaks or allow the majority of functionality that their customers want.

 

[agrouf]

심돌산[/url]":3j4vfdpp]Wasn't it back in 1987 or so that the "reset the clock" method of getting around trial software restrictions stopped working?

Nope, it still works in 2014 with many softwares. People usually use a virtual machine to install such software and change the clock. Many software licenses are linked to the MAC address of the NIC, which you can also change on a virtual machine. It's not legal and I don't tell anybody to do it but it does work more often than not. It's not the right thing to do though.
Generally software developers don't bother with complex anti piracy systems that cost money and time for very little benefit.

 

[agrouf]

P W[/url]":1zxy9bby]only reason i jailbreak my ipad is for xbmc and emulators. its sorta dumb that apple blocks software functionality. shrug. reason some people jail break. wish apple would stop trying to block the jailbreaks or allow the majority of functionality that their customers want.

Basically Apple want to charge you for the in house applications you develop yourself for you or your own customers and that will run on your own devices. They also want to take their cut on every application sold. That is their business model.

 

[jandrese]

fivemack[/url]":2a28brdp]

FoO[/url]":2a28brdp]

shawnce[/url]":2a28brdp]If they are using a deployment certificate from an Apple enterprise developer account that certificate will likely be revoked by Apple in short order. They will also likely attempt to track down the creators of that account... likely they however grabbed some other companies legit certificate and private key.

It's already an expired cert; one of the steps of the jailbreak is to actually disable NTP and set the date and clock back on your device before initiating the jailbreak.

Why on Earth does a device on which it is useful to know the correct time, and which uses time-stamps for security, even allow you to disable NTP?

Presumably this will be fixed in the next point release.

Eh, not disabling NTP only slightly increases the difficulty of the hack. All you have to do is set up a compromised NTP server that feeds the phone whatever date you want. Apple could make this difficult by making the NTP client not trust dates that are too far away from its own internal clock, but this can break legitimate phones when people leave them off for too long and the internal clock gets corrupted.

 

[uhuznaa]

agrouf[/url]":3f4jawvh]

P W[/url]":3f4jawvh]only reason i jailbreak my ipad is for xbmc and emulators. its sorta dumb that apple blocks software functionality. shrug. reason some people jail break. wish apple would stop trying to block the jailbreaks or allow the majority of functionality that their customers want.

Basically Apple want to charge you for the in house applications you develop yourself for you or your own customers and that will run on your own devices. They also want to take their cut on every application sold. That is their business model.

Apple doesn't do this for in house applications, that's what the Enterprise thing is for. You can deploy your own apps to your own devices this way without Apple caring at all.

 

[agrouf]

uhuznaa[/url]":30fi1cqy]

agrouf[/url]":30fi1cqy]

P W[/url]":30fi1cqy]only reason i jailbreak my ipad is for xbmc and emulators. its sorta dumb that apple blocks software functionality. shrug. reason some people jail break. wish apple would stop trying to block the jailbreaks or allow the majority of functionality that their customers want.

Basically Apple want to charge you for the in house applications you develop yourself for you or your own customers and that will run on your own devices. They also want to take their cut on every application sold. That is their business model.

Apple doesn't do this for in house applications, that's what the Enterprise thing is for. You can deploy your own apps to your own devices this way without Apple caring at all.

$299/year
https://developer.apple.com/programs/ios/enterprise/

 

[Sumwun]

agrouf[/url]":2xoswzuh]

P W[/url]":2xoswzuh]only reason i jailbreak my ipad is for xbmc and emulators. its sorta dumb that apple blocks software functionality. shrug. reason some people jail break. wish apple would stop trying to block the jailbreaks or allow the majority of functionality that their customers want.

Basically Apple want to charge you for the in house applications you develop yourself for you or your own customers and that will run on your own devices. They also want to take their cut on every application sold. That is their business model.

No. Apple charges a small amount of money ($300) to issue a security cert that allows a company to install their own private apps on their iOS devices. Apple neither knows or cares what those apps might be.

Actually the amount charged by Apple is considerably less than another company charges for a similar service on that company's devices.

 

[BlackHex]

jdale[/url]":frgt6um9]

FTR: if pangu team releases a public jailbreak with vulnerabilities disclosed to them during my training I consider this in no way okay.

...

So finally after 1.75 years of being known to me, having tought it to 50-70 students a “friend” takes the bug and sells a jb based on it.

I'm not even an iOS user, but in my opinion if he discovered an exploit and has sat on it for 1.75 years, I consider that in no way okay. The fact that he also shared it with other people makes it worse, even if it was only a small and supposedly trustworthy group. You cannot control a secret you've shared with 50 people, that's absurd. And any exploit you find is likely to be independently discovered as well, especially more than a year later.

This.

Mr Esser sounds like a very shady and untrustworthy character. Finding an exploit and keeping quiet I can understand... finding it and teaching it? WTF?

 

[Doomguy]

This Stefan Esser guy sounds like a crybaby from Hackers Elementary.

 

[The Ugly]

I literally laughed out loud in my office when I read that Stefan had been sharing this exploit for a year and a half but asking people "please don't share it"

Seriously? You found a vulnerability, want to use it for teaching classes and impressing people about how smart you are, but don't want anyone to patch it? And you ask everyone to keep it a secret?

At best it's a security risk. But guess what: they can profit off the vulnerability too!

I'm surprised it lasted this long.

 

[The Ugly]

Hey guys I found a special trick that lets you play every game in the arcade without putting in any quarters!

Here, let me show you, it's easy, you hit the machine on the side exactly... here. I've been doing this for years now! Always play for free.

But don't use it yourself. This is my trick. Don't tell anyone. Please guys. And don't let the arcade owner know. I showed you the trick as a teaching example of how cool I am. It's not for you to play for free. That's just my things.


Guuuuuuuys!!! Come on! Not cool!

 

[zaqzlea]

astie[/url]":syukky37]

agrouf[/url]":syukky37]

P W[/url]":syukky37]only reason i jailbreak my ipad is for xbmc and emulators. its sorta dumb that apple blocks software functionality. shrug. reason some people jail break. wish apple would stop trying to block the jailbreaks or allow the majority of functionality that their customers want.

Basically Apple want to charge you for the in house applications you develop yourself for you or your own customers and that will run on your own devices. They also want to take their cut on every application sold. That is their business model.

No. Apple charges a small amount of money ($300) to issue a security cert that allows a company to install their own private apps on their iOS devices. Apple neither knows or cares what those apps might be.

Actually the amount charged by Apple is considerably less than another company charges for a similar service on that company's devices.

You should be able to issue your own security cert for your own apps you deploy in your devices without caring to pay anyone (except for the hardware). Of course that means your clients must trust you.

 

[ScifiterX]

I am starting to suspect Apple isn't outright removing the flaw so much as covering it up better each time so only truly competent hackers can find it.

 

[Constructor]

zaqzlea[/url]":189en90m]You should be able to issue your own security cert for your own apps you deploy in your devices without caring to pay anyone (except for the hardware). Of course that means your clients must trust you.

iOS enforces code signature checking, which is one of the strongest lines of defense against malware.

This, of course, requires a certificate signed by Apple. Which is not for free, but still reasonably cheap for what it is. If you're not willing to invest that little money, it's probably best for everyone involved if you stay off the platform.

 

[Constructor]

ScifiterX[/url]":toru64e4]I am starting to suspect Apple isn't outright removing the flaw so much as covering it up better each time so only truly competent hackers can find it.

Apples past behaviour provides zero evidence for that being a consideration. They simply plug the vulnerability with an upcoming security update and that's that. The end.

 

[agrouf]

astie[/url]":3ilsty0w]

agrouf[/url]":3ilsty0w]

P W[/url]":3ilsty0w]only reason i jailbreak my ipad is for xbmc and emulators. its sorta dumb that apple blocks software functionality. shrug. reason some people jail break. wish apple would stop trying to block the jailbreaks or allow the majority of functionality that their customers want.

Basically Apple want to charge you for the in house applications you develop yourself for you or your own customers and that will run on your own devices. They also want to take their cut on every application sold. That is their business model.

No. Apple charges a small amount of money ($300) to issue a security cert that allows a company to install their own private apps on their iOS devices. Apple neither knows or cares what those apps might be.

Actually the amount charged by Apple is considerably less than another company charges for a similar service on that company's devices.

That depends on who you are and what you do but $300/y can be pretty expensive for a small business/hobby/personal stuff. The problem is that first off the cert is mandatory, and second off, generating it costs about $0.001 in electricity. You don't really pay for the (pointless) cert, but rather for support. The cert could be useful for some businesses but those who don't care can't do without.

 

[maccatalan]

It’s likely the exploit will be discovered by Apple now that it’s out in the wild, which means it will almost certainly be patched for iOS 7.2 and iOS 8. Worst of all PanGu has broken the trust of a well-respected member of the jailbreaking community.

This is actually a good thing... As an iOS user I am concerned with such flaws which could be exploited by malicious websites or apps to infiltrate my phone.

 

[UncleBubba]

I once jailbroke every i-device I owned, and enjoyed some of the benefits, like being able to install an ad-blocker, script-limiter, and firewall. Funny thing, though, is that Cydia (the jailbreak app installer) is chock-full of annoying ads that the blockers can't (or won't) touch.

Then the jailbreaks started "reorganizing and optimizing" the structure of the OS filesystems, both /data and /system, and I didn't see any technical documentation on what was actually changing. Perhaps it was there, but I couldn't find it.

I finally decided I couldn't stomach the security risks anymore, and stopped jailbreaking. It was interesting, educational, and fun, and I liked it, but the benefits no longer outweighed the risks.

 

[another ars account]

agrouf[/url]":2pnfxjuj]
That depends on who you are and what you do but $300/y can be pretty expensive for a small business/hobby/personal stuff.

If $300 is a lot for your small business, it's not really a business. And $300 is for the enterprise certificate - small business etc. can use a $99 developer cert instead.

The problem is that first off the cert is mandatory, and second off, generating it costs about $0.001 in electricity. You don't really pay for the (pointless) cert, but rather for support. The cert could be useful for some businesses but those who don't care can't do without.

I have no sympathy for businesses who can't handle $100 or $300 for platform access. For hobby and personal use, yeah it's a pain.

 

[crashworks]

jandrese[/url]":2rfqnilb]

fivemack[/url]":2rfqnilb]

FoO[/url]":2rfqnilb]
It's already an expired cert; one of the steps of the jailbreak is to actually disable NTP and set the date and clock back on your device before initiating the jailbreak.

Why on Earth does a device on which it is useful to know the correct time, and which uses time-stamps for security, even allow you to disable NTP?

Eh, not disabling NTP only slightly increases the difficulty of the hack. All you have to do is set up a compromised NTP server that feeds the phone whatever date you want. Apple could make this difficult by making the NTP client not trust dates that are too far away from its own internal clock, but this can break legitimate phones when people leave them off for too long and the internal clock gets corrupted.

This raises the question: why does a device with a cellular radio and GPS antenna need NTP at all? Either one of those receivers continually picks up a millisecond-accurate timebase signal as an intrinsic part of its functioning.

 

[aleph_nought]

I'm not a fan of Apple's walled garden mentality, especially when the wall around the garden is a thousand feet high

That said, what's with Esser being pissed off that someone released his exploit? I assume he makes money teaching this exploit and now he can't, or he keeps it exclusive so only a trusted group can jailbreak their iThings instead of the general public. Sitting on it for almost 2 years is a pretty long time. Coming from the open source world, I would've just released the damn thing once it was discovered.

 

[jandrese]

crashworks[/url]":2of5oche]This raises the question: why does a device with a cellular radio and GPS antenna need NTP at all? Either one of those receivers continually picks up a millisecond-accurate timebase signal as an intrinsic part of its functioning.

Because that information is squirreled away in a different part of the firmware and the OS may not have access to it. Also, they can be turned off if someone wants to do something nefarious with the phone.

 

[ScifiterX]

Constructor[/url]":1xnzbn9f]

ScifiterX[/url]":1xnzbn9f]I am starting to suspect Apple isn't outright removing the flaw so much as covering it up better each time so only truly competent hackers can find it.

Apples past behaviour provides zero evidence for that being a consideration. They simply plug the vulnerability with an upcoming security update and that's that. The end.

I was being facetious. It almost always seems like someone is pulling the "exploit old flaw to jailbreak" card each time. You'd think they find some new flaw one time at least.

 

[jigzat]

Malware-free jailbreak?... Really? is like saying dry water.

 

[sonicmerlin]

They should have saved it for 8.0. Ah well. There are certain apps you can only run on a jailbroken device, for example f.lux. I couldn't get to sleep without f.lux.

 

[agrouf]

another ars account[/url]":19opwooo]

agrouf[/url]":19opwooo]
That depends on who you are and what you do but $300/y can be pretty expensive for a small business/hobby/personal stuff.

If $300 is a lot for your small business, it's not really a business. And $300 is for the enterprise certificate - small business etc. can use a $99 developer cert instead.

The problem is that first off the cert is mandatory, and second off, generating it costs about $0.001 in electricity. You don't really pay for the (pointless) cert, but rather for support. The cert could be useful for some businesses but those who don't care can't do without.

I have no sympathy for businesses who can't handle $100 or $300 for platform access. For hobby and personal use, yeah it's a pain.

$300 looks like a small amount but it can add up quickly, it depends on the context. It's not just the $300, it's the conditions and pain that come with the program. The entreprise developer cert allows you to install programs on employees devices, it does not allow you to install it anywhere else.
Imagine you are a small software developer and you created a software to handle stock and supply in a grocery. You sell your software for let's say €300 because you have a lot of customers. The software is written once and tuned for each customer specific needs. So you just have to pay $300/y to Apple and you can distribute your stuff to groceries, right? Wrong! You will need a cert PER grocery. If you have 500 customers, you will pay Apple $60k/y.
And what about free software? Let's say you have the source of a business application for your grocery. The problem is that the application handles tomatoes but not carrots. You want to add carrot support? Just add the string in vegetables.cpp, compile and ... pay $300/y to Apple (in addition to the trouble of enrolling in the entreprise program), or jailbreak!

 

[Ashe]

agrouf[/url]":kwxkp0ul]

another ars account[/url]":kwxkp0ul]

agrouf[/url]":kwxkp0ul]
That depends on who you are and what you do but $300/y can be pretty expensive for a small business/hobby/personal stuff.

If $300 is a lot for your small business, it's not really a business. And $300 is for the enterprise certificate - small business etc. can use a $99 developer cert instead.

The problem is that first off the cert is mandatory, and second off, generating it costs about $0.001 in electricity. You don't really pay for the (pointless) cert, but rather for support. The cert could be useful for some businesses but those who don't care can't do without.

I have no sympathy for businesses who can't handle $100 or $300 for platform access. For hobby and personal use, yeah it's a pain.

$300 looks like a small amount but it can add up quickly, it depends on the context. It's not just the $300, it's the conditions and pain that come with the program. The entreprise developer cert allows you to install programs on employees devices, it does not allow you to install it anywhere else.
Imagine you are a small software developer and you created a software to handle stock and supply in a grocery. You sell your software for let's say €300 because you have a lot of customers. The software is written once and tuned for each customer specific needs. So you just have to pay $300/y to Apple and you can distribute your stuff to groceries, right? Wrong! You will need a cert PER grocery. If you have 500 customers, you will pay Apple $60k/y.
And what about free software? Let's say you have the source of a business application for your grocery. The problem is that the application handles tomatoes but not carrots. You want to add carrot support? Just add the string in vegetables.cpp, compile and ... pay $300/y to Apple (in addition to the trouble of enrolling in the entreprise program), or jailbreak!

So, just add the yearly cost of the cert to each grocery's sale bill... or develop an App that doesn't require all the custom tooling and distribute it through the App store itself. In the both instances, you would not even need to cough up any loot for the enterprise account yourself but just the developer account since you wouldn't need enterprise level support.

 

[another ars account]

agrouf[/url]":4isuzi0n]
Imagine you are a small software developer and you created a software to handle stock and supply in a grocery. You sell your software for let's say €300 because you have a lot of customers. The software is written once and tuned for each customer specific needs. So you just have to pay $300/y to Apple and you can distribute your stuff to groceries, right? Wrong! You will need a cert PER grocery. If you have 500 customers, you will pay Apple $60k/y.

Yeah, Apple really needs to find a way to allow you to sell your software to customers as part of that $99/year developer arrangement they have. Some sort of a Store for Apps, maybe. And before you complain about the App Store being consumer focused, browse this.