Developers today said they used a pair of unpatched vulnerabilities in Apple's iOS to "jailbreak" the iPhone and iPad, including the first ever hack of the iPad 2.
Some security experts immediately said the unfixed flaw, and the fact it's essentially been released into the wild for miscreants to exploit, posed a danger to iPhone and iPad owners.
"If they exploited the same vulnerability in a copy cat maneuver, cybercriminals could create booby-trapped webpages that could run code on visiting devices," warned Graham Cluley, a senior technology consultant with Sophos. "All eyes now turn to Apple to see how quickly it can secure its users. "Leaving a security hole like this open is simply inviting malicious hackers to exploit it."
'Jailbreaking' refers to hacking iOS to allow an iPhone or iPad to install software not sanctioned by Apple, and not distributed through its official App Store channel. To jailbreak an iOS device, users must visit the JailbreakMe website with an iPhone, iPad or iPod Touch running the current version of iOS, then install JailbreakMe 3.0.
The hack was released by a team led by someone identified only as "comex," and is the latest in a string of exploits that have circumvented Apple's App Store-only model, including one issued by the same group last August, just weeks after Apple rolled out iOS 4. Ten days after JailbreakMe 2.0's 2010 debut, Apple patched the two vulnerabilities used by comex.
Charlie Miller, the only person to win prizes four years running at the Pwn2Own hacking contest, and a principal research consultant for Denver-based Accuvant, said it was likely Apple would react quickly to the newest jailbreak.
"This one is a remote code executable vulnerability," said Miller of one of the two bugs exploited by JailbreakMe 3.0. "Apple will probably patch this in a couple of weeks at the most."
Like Cluley, Miller was concerned by the bugs and exploits. "They're certainly a threat, and would be easy to make malicious," he said. Miller also noted that because comex released a patch for the vulnerabilities at the same time as JailbreakMe 3.0, the situation wasn't serious. "For anyone worried about security, they can jailbreak their iPhone and then apply the patch," Miller said.
Comex published the fix, dubbed "PDF Patcher 2," on the Cydia app store, a popular site for downloading applications that run only on jailbroken iOS devices.
"Due to the nature of iOS, this patch can only be installed on a jailbroken device," said comex in a short FAQ on JailbreakMe. "Until Apple releases an update, jailbreaking will ironically be the best way to remain secure."
Comex also dismissed concerns that others would exploit the vulnerabilities, noting that had not happened in 2010, something Miller confirmed.
"There's always a first time, but I think there's a good chance the security impact of these vulnerabilities will remain theoretical," comex wrote in the FAQ. "I did not create the vulnerabilities, only discover them. Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run."
Apple has not patched the bugs in the preliminary versions of iOS 5, the upgrade expected to launch alongside the next iPhone this fall, according to the iPhone Dev Team, another group of software developers who have created jailbreak tools. "But they'll almost certainly be fixed by the time iOS 5 is public," the team said.
Miller said the vulnerabilities used by JailbreakMe 3.0 were new to him. "I was surprised" by the vulnerabilities and the ensuing exploits, he said. "When Apple added ASLR [address space layout randomization] to iOS [4.3] in March, I thought we wouldn't see an exploit of it for a couple years."
JailbreakMe 3.0 exploits two separate vulnerabilities, said Miller, including one that circumvents ASLR, an anti-exploit technology designed to make it more difficult for attackers to predict available blocks of memory where they can execute their code.
One of the vulnerabilities is in iOS' font parsing code, and is exploitable via the PDF viewer built into the mobile version of Safari. The vulnerability does not exist in Mac OS X.
Miller called the JailbreakMe 3.0 hack "good work," "really slick" and "amazing." Miller recommended that iOS device owners who jailbroke their iPhones, iPads or iPod Touches apply the PDF Patcher 2 fix immediately after hacking the operating system.