Seems like this one has been a long time in the making, but there is finally a jailbreak for any iPhone, iPad or iPod running iOS 6 or 6.1. This jailbreak comes courtesy of a group called evad3rs. The jailbreak can be performed using any computer running Mac OS X, Window or Linux, and is a full un-tethered jailbreak meaning that once jailbroken the device can be rebooted without it needing to be re-jailbroken.
To perform the jailbreak, simply download the software for your OS, plug in your device, launch the evasi0n app and click Jailbreak. It’s pretty much as simple as that! Cult of Mac has a good summary of this process.
Quick warning: I know that many people are eager to jailbreak their devices – sometimes I also get annoyed at the restrictions Apple places on their devices – but remember that when you jailbreak you’re not only running exploit code and trusting a third party not to do anything malicious, but you also make your device less secure in the process!
With that in mind, check out the latest jailbreak at evasi0n.com.
The two latest iOS updates are fairly significant in that they patch two critical vulnerabilities. iOS update 4.3.4 patched a number of bugs including comex’s PDF/FreeType vulnerability used to create the latest JailbreakMe exploit. If you’re a jailbreaker, it’s essential that you run comex’s ‘PDF Patcher 2′ within Cydia, in order to patch the underlying vulnerability. iOS update 4.3.5 released a couple days ago, patches a fairly significant bug in the way iOS validates SSL/TLS certificates. This vulnerability can allow an attacker to intercept and/or modify data protected within an SSL session without the user knowing it. This was possible to due the fact that iOS didn’t validate the basicContstrains parameter of SSL certificates in the chain.
If you’re only an occasional patcher – now is the time.
JailbreakMe.com has been updated to allow easy untethered jailbreak of your iOS devices, just follow the instructions on the site. Thanks to a new PDF exploit from comex (with the help of chpwn), it is now possible to jailbreak iPhones, iPads (including iPad 2) and iPod Touches running iOS 4.3.3 (note this doesn’t yet include any versions below that). During the jailbreak, saurik’s Cydia app store is automatically installed.
Interestingly, users with jailbroken devices can protect themselves by patching the PDF vulnerability by using ‘PDF Patcher 2′ in Cydia. Normal users will have to wait for iOS 4.3.4 from Apple. Note, however, that having a jailbroken iPhone or iPad still makes you slightly more vulnerable to other attacks, as the iOS sandbox is essentially bypassed.
Apple has released several security updates which patch vulnerabilities in the way Mac OS X and iOS handle certificate trust. This comes off the back of the recent Comodo hack in which several fraudulent – yet valid – SSL certificates were created for a number of prominent websites, rendering users vulnerable to potential man-in-the-middle attacks. These updates (2011-002 and iOS 4.3.2/4.2.7) improve the way certificate verification is performed in OSX and iOS. The Safari 5.0.5 update patches two critical bugs which could result in remote code execution.
In other news: Updates to Safari in Mac OS X 10.7 “Lion” have shown that the browser will bring support for the new Do-Not-Track functionality, intended to give users the ability to opt-out from tracking by Third Party tracking and ad companies. Whether or not this functionality will be fully respected by third parties remains to be seen. Lastly, a tethered jailbreak for iOS 4.3.2 has already been released.
A group of German security researchers from the Fraunhofer Institute for Secure Information Technology have discovered a way of extracting personal information and stored credentials from a locked iPhone, by way of a jailbreak. By gaining physical access to an iPhone (or iPad/iTouch), an attacker is able to reboot it into recovery mode, thus allowing them to upload their own jailbroken firmware onto the device. As part of this process SSH is enabled and a script can then be uploaded to the device which uses built-in system calls to extract encrypted data (including credentials in the keychain) from the device. See the video below for a demo of their attack, which can take as little as six minutes.
This attack would not be possible without existing jailbreak mechanisms, which effectively bypass the iPhone’s sandbox and allow unsigned code to be executed. The second issue is the way that iOS handles stored data and credentials, allowing any application to request the information. This is actually a prime example of the dangers of having a jailbroken iPhone or iPad, as it makes it much easier for an attacker to execute malicious code on your device.
These kinds of issues are not isolated to iOS devices, and the same would exist on other devices that could be made to run custom scripts. This will be a tricky issue for Apple to resolve, as much of its security relies on a strong sandbox. Their best chance is to try to identify and patch as many of the vulnerabilities that could be used for a jailbreak. They will also need to review the way iOS handles encrypted data, and ensure that data cannot be extracted by arbitrary applications.
Luckily there is not yet a publicly available automated tool to perform this attack, so it is unlikely that a random thief will be obtaining your data. If you’re really worried, you can use Apple’s free Find My iPhone service to remotely wipe your iOS device should it be lost or stolen. Check out my article on protecting and recovering your iPhone from loss and theft for more information.
The team’s original research paper is available here (PDF).
The Chronic Dev Team have released (site currently down) the Mac and Windows versions of their latest iOS 4.2.1 ‘greenpois0n’ jailbreak. The Linux version is still listed as “Coming Soon”. Jailbreak users are warned to keep their devices on iOS 4.2.1 when version 4.3 is released later in the week, corresponding with the announcement of the Verizon iPhone, as the exploit used in this jailbreak has already been patched.
iOS 4.3 is expected to bring a number of bug fixes, including the addition of “personal hotspot” functionality which will allow users to share their iPhone’s 3G connection with other computers and devices over Wifi.
[Updated 5/2/2011] Windows version released.
The XBMC team have announced an ARM-based release of their open source media player and entertainment hub for the Aple TV 2, iPad and iPhone. The software, that requires a jailbroken device, allows users to stream and play any audio and video format from local network stores. Your Apple TV also retains its normal functionality, and you can still watch/purchase content off iTunes.
XMBC is a great piece of software, and I have it installed on my original Apple TV streaming media from my 2TB ReadyNAS NV+.
The chronic dev team (@chronicdevteam) have released greenpois0n, their iOS jailbreak tool featuring an implementation of geohot’s bootrom exploit. Downloads are available for Mac OS X, Windows and Linux. It also only works on iOS 4.1.
This release of greenpois0n supports:
- iPhone 4
- iPhone 3G S
- iPod touch (4th Generation)
- iPod touch (3rd Generation)
Soon there will be another release, adding things like support for:
- Apple TV (2nd Generation)
- iPod touch (2nd Generation)
[Updated 4/2/2011] greenpois0n updated to jailbreak iOS 4.2.1
geohot has released limera1n, the latest iOS jailbreak. After the success of comex’s Jailbreakme.com, which was patched by iOS 4.0.2, limera1n brings a theoretically unpatchable exploit thanks to an extremely low-level vulnerability that affects all of Apple’s iOS-base devices. Both Mac OS X and Windows versions of limera1n are now available for download.
The jailbreak uses an exploitable vulnerability in the iOS boot-rom. This is the reason it’s theoretically unpatchable, as the boot-rom is something that would need to be physically flashed on the affected devices. By ‘unpatchable’ I mean that Apple will not be able to patch the vulnerability that makes the jailbreak possible, on existing iOS devices. If this is indeed the case, then this would mean that the current line of iOS devices are guaranteed to be jailbreakable even when applying new iOS updates. Apple would have to patch the bug in the boot-rom in new devices they release down the line.
In other news, the jailbreaking scene has had its feathers ruffled as the chronic dev team were originally going to release their greenpois0n jailbreak (using their SHAtter exploit). Rumor has it they shared their exploit with geohot, who went ahead and published his own tool before they could. Fun times.
[Update] Although the boot-rom exploit might not be patchable, limera1n uses a userland exploit to perform the untethered jailbreak. This means that Apple could potentially patch the untethered part of the jailbreak – although the boot-rom exploit would still exist. For more info read Update #1 at the bottom of this post.
Many people seem to be wondering what is meant by limera1n being ‘unpatchable’. Hopefully this posts answers that question somewhat. If you’re still unsure, feel free to post a question in the comments.