Researchers Reveal Jailbroken iPhone Exploit

A new jailbreak for the Apple iPhone has provided another example of remote exploits on mobile devices, security researchers say.

According to security researchers, the JailbreakMe 2.0 exploit takes advantage of two distinct vulnerabilities of free devices running Apple’s iOS. Now officially legalised, jailbreaking allows users to run unauthorised third-party applications on a mobile device.

The first bug Jailbreak 2.0 uses is related to the processing of Compact Font Format data within a PDF document, explained Vupen Security CEO Chaouki Bekrar. The second is a flaw in the kernel that can be exploited to “gain elevated privileges and bypass sandbox restrictions.”

Remote Exploit

Attackers could exploit the first bug remotely by tricking iPhone users into visiting a malicious site that would then redirect the browser to the appropriate malicious PDF file depending on the device model and version, Bekrar said. Once done, the kernel flaw can be exploited to take control of the device.

“The bad news is that the exploits affect all versions of Apple iPhone, iPad and iPod, and they could be easily modified and used by criminals to compromise Apple devices via drive-by download attacks,” Bekrar told eWEEK.

Apple did not respond immediately to a request for comment on the issue. However, Kevin Haley, director of Symantec Security Response, noted that details of the jailbreak exploit code are not publicly documented, and “the authors seem to have gone to some effort to obfuscate the code.”

Still, it is possible the exploit code could be altered by an attacker to deliver a malicious payload, Haley said. “Based on the facts right now, I think Apple should be concerned [about] this,” he said.

Jailbreak

While there has not been a huge volume of remote exploits for mobile devices relative to the number for desktops and applications, there have been several that could lead to the complete compromise of devices, said Michael Price, senior operations manager for McAfee Labs for Latin America. There are also a fairly large number of known vulnerabilities that could, theoretically lead to exploitation but that do not have corresponding public exploits, he added.

To Dave Marcus, security research and communications manager at McAfee, the situation should serve as a wake-up call for anyone with a mobile device: Remote exploitation is real and here to stay. “For now these vulnerabilities are being used only—as far as we know—to jailbreak iPhones, but they could be used to do many other things to iPhones and their owners around the world,” Marcus blogged.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago