or Connect
AppleInsider › Forums › Mobile › iPhone › Apple investigating jailbreak vulnerabilities
New Posts  All Forums:Forum Nav:

Apple investigating jailbreak vulnerabilities

post #1 of 53
Thread Starter 
An Apple spokeswoman acknowledged that the company is looking into a report on software vulnerabilities that allow remote control and 'jailbreaking' of its iOS devices.

After the French security firm Vupen posted an advisory about two critical security flaws in Apple's iOS, Apple stated that they are aware of the report and investigating it, according to Reuters.

The vulnerabilities are currently being utilized by jailbreakme.com to allow users to jailbreak an iOS device and install software independent of Apple's moderated App Store. A hacker known as "comex" developed the current jailbreak exploit and claims to know other potential exploits for when the current one is patched.

The jailbreak exploit has been called both "scary" and "very beautiful work" by one security expert. Whereas previous jailbreaks have usually required users to run software on their Mac or PC, this jailbreak takes place only on the device itself.

Mobile device security has been a hot issue as of late. Vupen's advisory comes just a few days after security experts released a root kit exploit for Android phones at the Defcon hackers conference in Las Vegas. Nicholas Percoco, who developed the exploit with a colleague, said the tool "wasn't difficult" and took two weeks to build.
post #2 of 53
Quote:
Originally Posted by AppleInsider View Post

Mobile device security has been a hot issue as of late. Vupen's advisory comes just a few days after security experts released a root kit exploit for Android phones at the Defcon hackers conference in Las Vegas. Nicholas Percoco, who developed the exploit with a colleague, said the tool "wasn't difficult" and took two weeks to build.

Sure iPhone is broke, but so is every other smart phone. It is an industry wide problem. Videos to come.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #3 of 53
I guess this is more of an incentive for Apple to fix this exploit as soon as possible. Had "comex" just alerted Apple of the issue, it would have taken a while before we would have a fix and possible acknowledgment of the exploit.

Anyway, this should be all behind us in a week or two from now.

Apple knows of the issue. They are working on a fix. I'm guessing they'll roll it in with iOS 4.1? If not, 4.0.2 then.
iPhone Dev team knows of the impending fix and already have a USB tethered option.
post #4 of 53
Interesting, Apple plugged this hole by iOS 4.1b2, before JailbreakMe came out. Not sure if it was intentional or not, but its closed. Heres what I get when i go to the site.

Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #5 of 53
Quote:
Originally Posted by solipsism View Post

Interesting, Apple plugged this hole by iOS 4.1b2, before JailbreakMe came out. Not sure if it was intentional or not, but it’s closed. Here’s what I get when i go to the site.


Maybe, maybe not.

The site checks your system version, so that's just the site backing off before trying.
post #6 of 53
I jailbroke my iPhone 4 today, but then reverted it a couple hours later. Most of the apps that convinced me to jailbreak in the first place just didn't work. I suspect that they've not been updated for iOS4 and without any social functions like the App Store like reviews, there's no way for users to know this prior to downloading (or even after, they just appear nonfunctional).
post #7 of 53
Quote:
Originally Posted by solipsism View Post

Interesting, Apple plugged this hole by iOS 4.1b2, before JailbreakMe came out. Not sure if it was intentional or not, but its closed. Heres what I get when i go to the site.


Have you tried to downgrade? I'm sorry that I can not be of more assistance. Maybe someone more knowledgeable can help?
post #8 of 53
Quote:
Originally Posted by mbarriault View Post

I jailbroke my iPhone 4 today, but then reverted it a couple hours later. Most of the apps that convinced me to jailbreak in the first place just didn't work. I suspect that they've not been updated for iOS4 and without any social functions like the App Store like reviews, there's no way for users to know this prior to downloading (or even after, they just appear nonfunctional).

yeah. they all sort of work if you have enough patience. It's cool for showing people a checklist of stuff you supposedly could do though....
post #9 of 53
And though the holes were rather small. They had to count them all. Now they know how many holes it takes to fill the browsers all...


[My apologies to John Lennon.]
post #10 of 53
Quote:
Originally Posted by DrDoppio View Post

Have you tried to downgrade? I'm sorry that I can not be of more assistance. Maybe someone more knowledgeable can help?

Thanks, but I was pointing out that the security hole is not active with iOS 4.1 beta 2. I know how to downgrade but I have no interest to do so or to jailbreak my device.

And ihxo is right, it might still be open but requires some changes that comex hasnt implemented. Im just posting what I know.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #11 of 53
Quote:
Originally Posted by solipsism View Post

Thanks, but I was pointing out that the security hole is not active with iOS 4.1 beta 2. I know how to downgrade but I have no interest to do so or to jailbreak my device.

And ihxo is right, it might still be open but requires some changes that comex hasnt implemented. Im just posting what I know.

I must have misunderstood, my bad.

Well, at least developers with the beta are less likely to accidentally their phones.
post #12 of 53
Quote:
Originally Posted by DrDoppio View Post

I must have misunderstood, my bad.

Well, at least developers with the beta are less likely to accidentally their phones.

My post as ambiguous in that regard and could have been taken either way.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #13 of 53
Quote:
Originally Posted by AppleInsider View Post

Whereas previous jailbreaks required users to run software on their Mac or PC, this is the first jailbreak that takes place only on the device itself.

This is actually not true - the very first public jailbreak, back before even the App Store existed, was also delivered via Mobile Safari right on the iPhone itself. I think it was even hosted by the same domain name, too.
post #14 of 53
So if I understand this right: go to a webpage that jailbreaks your phone and opens a huge security hole in your iPhone for mischief. AND you're doing it on purpose. All for a few marginally functional apps that you'll discover are crappy anyway only to revert to the original iOS anyway? Imagine a world where we all whine and complain that we couldn't jailbreak our refrigerators, microwaves, or TV's. Your phone is an appliance not your Jr. High science experiment. Go out and have a beer, meet up with some friends, play basketball, have s*x with your partner....whatever....but EVERYTHING in life is more important than jailbreaking your phone.

Malware, virus, etc..call it what you want. But it A) totally validates Apples closed system, and B) anyone dumb enough to do it deserves it.
post #15 of 53
Quote:
Originally Posted by KangaMoJo View Post

So if I understand this right: go to a webpage that jailbreaks your phone and opens a huge security hole in your iPhone for mischief. AND you're doing it on purpose. All for a few marginally functional apps that you'll discover are crappy anyway only to revert to the original iOS anyway? Imagine a world where we all whine and complain that we couldn't jailbreak our refrigerators, microwaves, or TV's. Your phone is an appliance not your Jr. High science experiment. Go out and have a beer, meet up with some friends, play basketball, have s*x with your partner....whatever....but EVERYTHING in life is more important than jailbreaking your phone.

Malware, virus, etc..call it what you want. But it A) totally validates Apples closed system, and B) anyone dumb enough to do it deserves it.

Whatever you do, DON'T look under the bed, the boogieman might get you! And always trust the government, they know what's best for you. And big companies always have your best interest in mind, and besides, no one can do anything on their product as well as they can. I'm sooooo glad that they came up with the oh so original ideas of third party apps, background wallpaper, tethering, multitasking, and others! We didn't even know we needed them until Apple told us we did. Well maybe jailbreakers had them ALL before apple released them, but jailbreaking is so SCARY!!! // Haha, don't be afraid little sister...
post #16 of 53
Quote:
Originally Posted by irq View Post

This is actually not true - the very first public jailbreak, back before even the App Store existed, was also delivered via Mobile Safari right on the iPhone itself. I think it was even hosted by the same domain name, too.

I was thinking the same thing, and your right, it was the same domain. There was also a jailbreak the used the emergency phone key pad on a non-activated iPhone to hactivate and jailbreak with no computer required.
post #17 of 53
Quote:
Originally Posted by ihxo View Post

yeah. they all sort of work if you have enough patience. It's cool for showing people a checklist of stuff you supposedly could do though....

There is a compatibility chart posted by the founder of Cydia app store at http://spreadsheets.google.com/ccc?k...2c&hl=en#gid=1
You should check their website often if you jailbreak at http://thebigboss.org they post news and update info regularly.
post #18 of 53
Quote:
Originally Posted by KangaMoJo View Post

So if I understand this right: go to a webpage that jailbreaks your phone and opens a huge security hole in your iPhone for mischief. AND you're doing it on purpose. All for a few marginally functional apps that you'll discover are crappy anyway only to revert to the original iOS anyway? Imagine a world where we all whine and complain that we couldn't jailbreak our refrigerators, microwaves, or TV's. Your phone is an appliance not your Jr. High science experiment. Go out and have a beer, meet up with some friends, play basketball, have s*x with your partner....whatever....but EVERYTHING in life is more important than jailbreaking your phone.

Malware, virus, etc..call it what you want. But it A) totally validates Apples closed system, and B) anyone dumb enough to do it deserves it.



YOU scare ME!
post #19 of 53
Quote:
Originally Posted by KangaMoJo View Post

So if I understand this right: go to a webpage that jailbreaks your phone and opens a huge security hole in your iPhone for mischief. AND you're doing it on purpose. All for a few marginally functional apps that you'll discover are crappy anyway only to revert to the original iOS anyway? Imagine a world where we all whine and complain that we couldn't jailbreak our refrigerators, microwaves, or TV's. Your phone is an appliance not your Jr. High science experiment. Go out and have a beer, meet up with some friends, play basketball, have s*x with your partner....whatever....but EVERYTHING in life is more important than jailbreaking your phone.

Malware, virus, etc..call it what you want. But it A) totally validates Apples closed system, and B) anyone dumb enough to do it deserves it.

1) The hole is already there, hence the jailbreak actually working via Safari.

2) There is already an app on Cydia you can install on your jailbroken iDevice to warn you that you may be opening a PDF that could access your system.

3) There are plenty of great features one can add for their jailbroken device. For instance, there is a great paid app for your lock screen that lists pretty much any at-a-glance data you can think of which the need for unlocking your phone and accessing a half dozen different apps.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #20 of 53
These file format vulnerabilities are beginning to annoy me. PDF has been around for how long now? How fscking hard can it be to write a robust parser for a PDF with the amount of resources available with companies like Apple? It is nothing more than gross negligence.
Most of us employ the Internet not to seek the best information, but rather to select information that confirms our prejudices. - Nicholas D. Kristof
Reply
Most of us employ the Internet not to seek the best information, but rather to select information that confirms our prejudices. - Nicholas D. Kristof
Reply
post #21 of 53
Quote:
Originally Posted by talksense101 View Post

These file format vulnerabilities are beginning to annoy me. PDF has been around for how long now? How fscking hard can it be to write a robust parser for a PDF with the amount of resources available with companies like Apple? It is nothing more than gross negligence.

No. COMEX was just brilliant! Not to mention he and the dev team are great guys and care about the JB comunity. People that don't like it just should NOT jb.
post #22 of 53
[QUOTE=AppleInsider;1689404]jailbreakme.com to allow users to unlock an iOS device

I think you mean "jailbreak" an iOS device

[QUOTE=AppleInsider;1689404]this is the first jailbreak that takes place only on the device itself.

Can anyone say 1.1.1?
post #23 of 53
Quote:
Originally Posted by davidcarswell View Post

No. COMEX was just brilliant! Not to mention he and the dev team are great guys and care about the JB comunity. People that don't like it just should NOT jb.

It's true, the JB community is a vibrant one. Unfortunately, like geohot said, it's become way too easy to JB and the 'community' is just a bunch of whiners who want the next unlock asap and the easier the better. I miss the days when unlocking or jailbreaking actually took some time and effort/skill.
post #24 of 53
Quote:
Originally Posted by solipsism View Post

Interesting, Apple plugged this hole by iOS 4.1b2, before JailbreakMe came out. Not sure if it was intentional or not, but its closed. Heres what I get when i go to the site.


It was not intentional. Apple announced the pdf part of the exploit and fixed it for OS X before this happened. I'm sure that is where they got the inspiration to do this hack for iOS. The second phase of the attack was the ingenious part. This actually required two hacks to get in.
post #25 of 53
Quote:
Originally Posted by talksense101 View Post

These file format vulnerabilities are beginning to annoy me. PDF has been around for how long now? How fscking hard can it be to write a robust parser for a PDF with the amount of resources available with companies like Apple? It is nothing more than gross negligence.

It wasn't in the pdf parsing code. It was in the font rendering code. They injected a malicious font in the PDF file. Fonts actually contain interpreted code to give good results when rendering at small sizes. Apple redesigned their font architecture from the ground up a couple years ago to give significantly better performance. So they found an exploit in a relatively new system.
post #26 of 53
Quote:
Originally Posted by jhyson View Post

I was thinking the same thing, and your right, it was the same domain. There was also a jailbreak the used the emergency phone key pad on a non-activated iPhone to hactivate and jailbreak with no computer required.

The phone was also less then a year old back then and Apple wasn't going after Enterprise customers. A similar hack now is a bigger deal, but the complexity of the hack shouldn't worry enterprise customers too much. They just need to make sure their phones are patched as soon as Apple releases the fix that is already in beta on day 0. As long as it doesn't get out of hand like the over-exagerated "antennagate" issue there is nothing to worry about. Not to mention that people are less likely to go to questionable web sites on their phones then their PCs.
post #27 of 53
What? My iPhone is hackable? Unacceptable!!! I demand ANOTHER free bumper case!
Love The MAC, Hate On The FanBoy
Reply
Love The MAC, Hate On The FanBoy
Reply
post #28 of 53
Quote:
Originally Posted by blogorant View Post

What? My iPhone is hackable? Unacceptable!!! I demand ANOTHER free bumper case!

I demand a free firewall with blacklist!
post #29 of 53
Quote:
Originally Posted by CharlesYFarley View Post

DNA: "Do NOT Apple"

Labeling the freedom Apple phone customers now have as "jailbreaking" is simultaneously insulting and typical Applespeak.

If Jobs wants people to use his phones the way he wants them used, he better start giving them away and not charge for airtime, either.

Jobs reminds me of the brain-dead Republican (pointless redundancy, I know) who says she doesn't want the press to ask her any questions she doesn't want to answer.

Apple didn't come up with that term.
post #30 of 53
Quote:
Originally Posted by jhyson View Post

... I'm sooooo glad that they came up with the oh so original ideas of third party apps, background wallpaper, tethering, multitasking, and others! We didn't even know we needed them until Apple told us we did. Well maybe jailbreakers had them ALL before apple released them ...

I don't believe for a minute that Apple didn't consider or plan all of those features and more from the very beginning for their OS X platform phone, when the smartphones they'd be competing against have had them for years --jailbreakers did not invent them.

People were already used to those features and Apple has been catering to them. After all, any OS is a work in progress.

You could make the point though, that we might have had multitasking earlier if the jailbreakers hadn't taken the pressure off of Apple by essentially fragmenting the iPhone market and sucking out all of those who would've petitioned for it, as Apple goes by priorities.
post #31 of 53
Quote:
Originally Posted by jz1492 View Post

I don't believe for a minute that Apple didn't consider or plan all of those features and more from the very beginning for their OS X platform phone, when the smartphones they'd be competing against have had them for years --jailbreakers did not invent them.

People were already used to those features and Apple has been catering to them. After all, any OS is a work in progress.

You could make the point though, that we might have had multitasking earlier if the jailbreakers hadn't taken the pressure off of Apple by essentially fragmenting the iPhone market and sucking out all of those who would've petitioned for it, as Apple goes by priorities.

So you are arguing that Apple has been behind all along and iOS 4 wasn't really ready but they were forced to release it anyway... I agree 100%.
post #32 of 53
Quote:
Originally Posted by solipsism View Post


2) There is already an app on Cydia you can install on your jailbroken iDevice to warn you that you may be opening a PDF that could access your system.

Oh, the irony. I'm sure jailbreakers will be happy to point out that in this instance, jailbreaking makes your iPhone more secure.

That's just hilarious.
post #33 of 53
Quote:
Originally Posted by Postulant View Post

Oh, the irony. I'm sure jailbreakers will be happy to point out that in this instance, jailbreaking makes your iPhone more secure.

That's just hilarious.

It is pretty funny, but its not the first time. The original iPhone Safari hack back with v1.1 actually plugged the exploit after it jailbroke your phone.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #34 of 53
Quote:
Originally Posted by solipsism View Post

It is pretty funny, but it’s not the first time. The original iPhone Safari hack back with v1.1 actually plugged the exploit after it jailbroke your phone.

There might come a day when we will need Norton for our smartphones. And the most secure device will run a Windows OS.

Haha... Also, Americans will be sneaking into Mexico to find work, only to be deported.
post #35 of 53
YEAH!! It is good discussion for jailbrake for iPhone 4.we can seize many information for iphone users.
post #36 of 53
Quote:
Originally Posted by iamiend View Post

So you are arguing that Apple has been behind all along and iOS 4 wasn't really ready but they were forced to release it anyway... I agree 100%.

As the newcomer, Apple was definitely behind in many areas. They could have done a hack job and get away with being "on par" with the others, much like Google did with Android, but they instead chose to do every additional feature right and worth the wait.

I think they succeeded and are now head and shoulders above the competition in every area. I just wish they had given multitasking a higher priority.

Every OS company is forced to release on a regular basis, unless they want their "longhorn" to become a "vista", so there are always features that need to be left out for the moment. As long as the OS as released is "complete" in terms of usability for the intended purpose.

In this sense, iOS was complete and usable from version 1.0 thru version 4.x
post #37 of 53
Quote:
Originally Posted by inman2787 View Post

YEAH!! It is good discussion for jailbrake for iPhone 4.we can seize many information for iphone users.

Your translation app sucks.
post #38 of 53
Quote:
Originally Posted by KangaMoJo View Post

So if I understand this right: go to a webpage that jailbreaks your phone and opens a huge security hole in your iPhone for mischief. AND you're doing it on purpose. All for a few marginally functional apps that you'll discover are crappy anyway only to revert to the original iOS anyway? Imagine a world where we all whine and complain that we couldn't jailbreak our refrigerators, microwaves, or TV's. Your phone is an appliance not your Jr. High science experiment. Go out and have a beer, meet up with some friends, play basketball, have s*x with your partner....whatever....but EVERYTHING in life is more important than jailbreaking your phone.

Malware, virus, etc..call it what you want. But it A) totally validates Apples closed system, and B) anyone dumb enough to do it deserves it.

For some, jailbreaking is about geeky stuff. Fair enough.

But let's face it, a lot of people jailbreak to pirate apps. Some don't, some do.

Nevermind the "marginally functional apps", you get virtually the whole App Store, cracked and free for you to download at your whim.

So some jailbreakers might actually (just throwing this out there) have more money to buy beers, basketball shoes, and gifts for their bf/gf to keep them happy.
post #39 of 53
Quote:
Originally Posted by inman2787 View Post

YEAH!! It is good discussion for jailbrake for iPhone 4.we can seize many information for iphone users.

Quote:
Originally Posted by Postulant View Post

Your translation app sucks.

LOL the new cry to arms... "All your base are belong to us" is so passé...

WARNING
WE CAN SEIZE MANY INFORMATIONZ!!
post #40 of 53
Quote:
Originally Posted by nvidia2008 View Post

LOL "We can seize many information!" will be the new cry to arms since "All your base are belong to us" is so cliche...

WARNING
WE CAN SEIZE MANY INFORMATIONZ!!

... In tears over here
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Apple investigating jailbreak vulnerabilities