Surprise iOS 7.1 jailbreak for most iPhones and iPads uses year-old flaw

Technique allows users to install unauthorized apps on wide range of devices.

Dan Goodin – Jun 25, 2014 11:24 am | 47

Credit: PanGu

Developers in China have published what appears to be a reliable and malware-free jailbreak for most iPhones and iPads running the latest version of Apple’s iOS. The release underscores how hard it is to keep such jailbreak exploits out of the public domain, since the code vulnerability that makes it possible appears to come from a highly secretive training class on iOS exploit development.

Jailbreaks allow iOS users to bypass Apple’s iron-clad technical restrictions and install unauthorized third-party software that is not included in the App Store. The technique appeals to many users, but it also comes with significant risks. One is that the process could temporarily or possibly damage the device. Another is that jailbreak developers may bundle keyloggers or other types of malware inside the software that performs the operation, leaving users with a device that steals passwords, tracks geographic whereabouts, or performs other nefarious deeds. Neither of those risks appears to accompany the release this week of the PanGu jailbreak, but Ars hasn’t verified its safety, security, or reliability. Readers who choose to run the program do so at their own risk.

The jailbreak, according to security researchers at Lacoon Mobile Security, uses a digital certificate Apple provides to enterprise customers to bypass restrictions on unauthorized apps. Apple makes them available so that customers can establish their own in-house source of apps instead of relying on the App Store. PanGu uses the certificate associated with “iPhone Distribution: Hefei Bo Fang communication technology co., LTD.” At the moment, users must physically connect their iPhones or iDevices to a computer, but it’s possible that PanGu could be refashioned to work remotely.

“In these remote scenarios, attackers can lure users to download an app within a phishing email or as a link to a site,” Lacoon researcher Ohad Bobrov wrote in a blog post published Wednesday. “A user falling for the scam will install that app without ever knowing that running the app has actually led to the jailbreaking of their device.”

The jailbreak works on most recent Apple mobile devices, including the iPhone 5S, 5, 5C, 4S, and 4; the iPad Mini; the iPad Air, and the iPod Touch running iOS 7.1 through iOS 7.1.x. Instructions and tips are available on reddit, although they are useful only to Windows users. The PanGu website appears to offer a Mac-compatible jailbreak, although it’s not entirely clear since the site is available only in Chinese.

Heard it through the grapevine

The PanGu technique may have been borrowed or refined from an exploit that well-known security researcher Stefan Esser developed and has been teaching in a training class to fellow developers. According to a blog post published Monday by Digital Trends:

When Stefan Esser (ion1c) learned that the Pangu team was going to release a jailbreak, he suspected they were going to use an exploit he found and shares in his training class for helping people learn about developing exploits for iOS. The exploit is for training purposes, and he asks those who he teaches not to utilize it.

FTR: if pangu team releases a public jailbreak with vulnerabilities disclosed to them during my training I consider this in no way okay.

— Stefan Esser (@i0n1c) June 23, 2014

At the bottom of the Jailbreak app by PanGu, a special thanks is given to Ion1c, though it appears they did not have the permission of Esser to utilize the exploit. It’s likely the exploit will be discovered by Apple now that it’s out in the wild, which means it will almost certainly be patched for iOS 7.2 and iOS 8. Worst of all PanGu has broken the trust of a well-respected member of the jailbreaking community.

So finally after 1.75 years of being known to me, having tought it to 50-70 students a “friend” takes the bug and sells a jb based on it.

— Stefan Esser (@i0n1c) June 23, 2014

It’s very likely the PanGu team could have some huge monetary incentives to release a jailbreak. While this version lacks a secret app store or any spyware like the one initially launched in December, there’s no doubt plenty of people would pay a fair sum to get unrestricted access to their iPhones, even if they couldn’t sneak in malware. While some might criticize Esser from hiding an exploit from the public, there’s no way to know now what good could come in the long term from Esser’s continued work on the exploit.

Esser didn’t immediately respond to an e-mail seeking comment for this post. The moral of the account, assuming it’s accurate, is that it’s unrealistic to think high-value exploits won’t become public knowledge once they begin circulating, especially when the underlying vulnerability has existed for more than a year.