iPhone 13 Pro remote jailbreak earns researchers $300,000 in hacking contest

Posted:
in iOS
A jailbreaking group has reportedly earned a $300,000 cash prize from the annual Tianfu Cup hacking contest in China, by performing a remote jailbreak on an iPhone 13 Pro running iOS 15.




The Tianfu Cup hacking contest is China's counterpart to the Pwn2Own style competitions elsewhere in the world, offering big prizes to researchers who bypass protections on consumer devices and software. On the first day of the 2021 competition, it appears one team has already secured a major prize, by successfully attacking an iPhone 13 Pro.

Pangu team, best known for jailbreaking Apple hardware, has reportedly successfully performed an attack against the iPhone 13 Pro and iOS 15 at the highest possible prize level. According to a tweet by Kunlun Lab CEO @mj0011sec spotted by iDownloadBlog, Team Pangu managed a remote jailbreak, earning the highest prize on offer for the device, and earning the top spot in the competition's rankings.

According to the contest website, teams had to allow the iPhone 13 Pro to browse a remote URL, to allow the contestants a chance to "control the phone system." As part of the challenge, contestants had to bypass "PAC mitigation," with additional prizes offered for a sandbox escape or a jailbreak.

Three tiers of prizes were associated with the iPhone 13 Pro, with remote code execution winning $120,000, while RCE with a sandbox escape securing the contestant $180,000. For the remote jailbreak, the prize is $300,000.

The iPhone is only one of a number of targets in the overall competition, covering both Apple devices and products from other companies. Other targets include RCE attacks against Safari running on both Intel and Apple Silicon MacBook Pro models, as well as a Synology NAS, a Xiaomi Mi 11 smartphone, and Windows 10 and Google Chrome running on notebooks, among others.

With another day left to run, it's likely that more successful attempts against Apple's hardware, and others, will be reported before the competition formally concludes.

In the 2020 competition, two sandbox escapes were performed against an iPhone running iOS 14, earning participants $180,000 for each one.

It is unlikely that any details of the hack will be made public anytime soon, as responsible disclosure policies usually require the hack to be reported to the relevant companies or developers to be fixed before a public reveal.

Read on AppleInsider

Comments

  • Reply 1 of 13
    Quick! And yet the Apple elite will claim that ios is super secure and alternative app stores will destroy the security model. Even while locked down, it’s clear the iOS kernel isn’t impenetrable. 
    elijahglam92103rcfaprismaticsolscuriousrun8byronl
  • Reply 2 of 13
    LMAO, ios it's pretty secure compared to the competition (android), don't expect to see those hacks to get wasted and used easily in the wild. apple it's patching things constantly and seed the update in very short time.
    killroyjony0
  • Reply 3 of 13
    danoxdanox Posts: 3,284member
    Quick! And yet the Apple elite will claim that ios is super secure and alternative app stores will destroy the security model. Even while locked down, it’s clear the iOS kernel isn’t impenetrable. 
    Don’t pay bounty get criticized pay a bounty get criticized Apple can’t win. :)
    killroy
  • Reply 4 of 13
    Quick! And yet the Apple elite will claim that ios is super secure and alternative app stores will destroy the security model. Even while locked down, it’s clear the iOS kernel isn’t impenetrable. 
    The only thing that's clear is that you like to babble.
    Whatever. The jailbreak speaks for itself. 
    lam92103elijahgpulseimagesprismaticsolsbyronlcuriousrun8
  • Reply 5 of 13
    But didn't Tim come out and tell everyone that iOS is secure due to it's AppStore & locked down, just a few weeks ago? Remotely gaining root access doesn't sound all that secure to me. Specially when it's the latest flagship device on the latest iOS
    elijahghackintoisierprismaticsbyronlcuriousrun8
  • Reply 6 of 13
    davidwdavidw Posts: 2,100member
    Quick! And yet the Apple elite will claim that ios is super secure and alternative app stores will destroy the security model. Even while locked down, it’s clear the iOS kernel isn’t impenetrable. 
    And then we have people that will cry like a baby that they can't install any app they want on ....... "MY DEVICE". Well, nearly every version of iOS has a jailbreak and once jailbroken, you can install any app you want and from a number of third party app stores.  These people need to install the jailbreak and quit their crying. No excuse for not being able to a jailbreak and visit a third party app store to install any app they want on ......."MY DEVICE".

    Even if Apple might patch the security bug that allowed the jailbreak, it's not patched unless one updates iOS. So jailbreakers know not to update iOS until there's a jailbreak available for the newer versions.  

    And no, the iPhone 13 Pro was not locked down when it was remotely jailbreak. In order for the jailbreak to install, the iPhone user had to click on a remote URL that opens a Safari browser that logs on to the site where the jailbreak software can install.  That is something that can not be done on a locked down iPhone in the hands of the average consumers. In order to do this, one has to first install the remote URL link into the iPhone and this can only be done by a developer with a license or the remote URL link is in an App that somehow got passed Apple App Store security. This was not done using a link in the Safari browser.

    According to the contest website, teams had to allow the iPhone 13 Pro to browse a remote URL, to allow the contestants a chance to "control the phone system." As part of the challenge, contestants had to bypass "PAC mitigation," with additional prizes offered for a sandbox escape or a jailbreak. 

    But the jailbreak is real, even if the remote part might only work under a controlled situation. And that's the real benefit of this hack, it shows another way that iOS 15 can be jailbreak. 
    FileMakerFellerkillroyviclauyyc
  • Reply 7 of 13
    davidwdavidw Posts: 2,100member
    lam92103 said:
    But didn't Tim come out and tell everyone that iOS is secure due to it's AppStore & locked down, just a few weeks ago? Remotely gaining root access doesn't sound all that secure to me. Specially when it's the latest flagship device on the latest iOS
    >According to the contest website, teams had to allow the iPhone 13 Pro to browse a remote URL, to allow the contestants a chance to "control the phone system." As part of the challenge, contestants had to bypass "PAC mitigation," with additional prizes offered for a sandbox escape or a jailbreak. <

    Just where did you get the idea that that this hacked gained access to an iPhone that was locked down? One have to install a special remote URL in their iPhone, in order to allow this hack to gain remote access. This can only be done if you have a iOS developers license or an app with the remote URL link somehow got passed Apple App Store security.  
    killroyjony0byronl
  • Reply 8 of 13
    IreneWIreneW Posts: 306member
    danox said:
    Quick! And yet the Apple elite will claim that ios is super secure and alternative app stores will destroy the security model. Even while locked down, it’s clear the iOS kernel isn’t impenetrable. 
    Don’t pay bounty get criticized pay a bounty get criticized Apple can’t win. :)
    As I understand it, these prizes are from the competition, not from Apple. (Then, Apple might pay a bounty as well, but i guess we will never know.)
  • Reply 9 of 13
    22july201322july2013 Posts: 3,695member
    Quick! And yet the Apple elite will claim that ios is super secure and alternative app stores will destroy the security model. Even while locked down, it’s clear the iOS kernel isn’t impenetrable. 
    I need clarification from you. Are you saying that because iOS "isn't impenetrable" that Apple should open up the OS to non-secure things? Please clarify.

    Are you also arguing that since airport security isn't impenetrable, that we should allow guns on airplanes? (In case you didn't know, Somalia used to allow guns on airplanes and there was never a hijacking when that was allowed. But it didn't stop a bomb from getting on board once.)

    Your logic is flawed.
    killroyjony0
  • Reply 10 of 13
    sflocalsflocal Posts: 6,122member
    Quick! And yet the Apple elite will claim that ios is super secure and alternative app stores will destroy the security model. Even while locked down, it’s clear the iOS kernel isn’t impenetrable. 
    The only thing that's clear is that you like to babble.
    Whatever. The jailbreak speaks for itself. 
    Nonsense.  No OS is 100% secure and fanboys from both sides are all bad.

    The jailbreak means absolutely nothing except that it will keep Apple on its toes and folks like you like to fabricate faux drama to suit your narrative.

    short version: you like to babble.
    killroyjony0
  • Reply 11 of 13
    davidw said:

    And no, the iPhone 13 Pro was not locked down when it was remotely jailbreak. In order for the jailbreak to install, the iPhone user had to click on a remote URL that opens a Safari browser that logs on to the site where the jailbreak software can install.  That is something that can not be done on a locked down iPhone in the hands of the average consumers. In order to do this, one has to first install the remote URL link into the iPhone and this can only be done by a developer with a license or the remote URL link is in an App that somehow got passed Apple App Store security. This was not done using a link in the Safari browser.
    A remote URL is just a link to a page on a remote server. In this case it is a malicious link, so the user would somehow need to be "tricked" into clicking on it, but no special privileges are needed to access it. It is in no sense "installed" on the device.
    IreneWjony0
  • Reply 12 of 13
    lam92103 said:
    But didn't Tim come out and tell everyone that iOS is secure due to it's AppStore & locked down, just a few weeks ago? Remotely gaining root access doesn't sound all that secure to me. Specially when it's the latest flagship device on the latest iOS
    So you're saying, as long as a vulnerability can be found anywhere in the system, Apple should immediately open the door to even more opportunities for other kinds of vulnerabilities: ones that extend beyond these technical issues and instead work through fraud and deception - how does that make any sense.

    Your idea also means that should Apple allow alternative app stores: they can immediately pull the rug on them and shut them down if no bugs are found in a bounty competition.

    edited October 2021 jony0
Sign In or Register to comment.