A great talk with p0sixninja, pod2g, pimskeks, and OPK at HITB 2012 Amsterdam

Jun 9, 2012 12:31 GMT  ·  By

The 2012 edition of the Hack in the Box conference in Amsterdam featured a world premier: for the first time ever the entire Chronic Dev Team got together.

As many of our readers may already know from our HITB coverage, we’ve had the honor of interviewing the hackers to whom most people are grateful for being able to install tweaks and third-party applications on their iPhones.

Joshua Hill (@p0sixninja), Cyril (@pod2g), and Nikias Bassen (@pimskeks) were scheduled to take part in our interview, but as it turned out, we were even luckier than that because OPK was also able to attend the meeting and share some precious insight.

Softpedia: How was the first ever union of the Dream Team?

Nikias: Nice. It's actually the first time more of the team got together. Previously only two or three members of the team got together, but this time we have everyone here so it's nice.

Cyril: It's nice, yes. We're really happy with this event and we're really happy to be here.

Softpedia: Why did you wait so long to get together?

Cyril: Oh, it's about money and time. We just couldn't afford such a trip to be all together.

Softpedia: Or did you prefer to spend your time working on the jailbreaks?

Nikias: Apart from our private lives, yes.

Softpedia: Cyril, if you could put a price on the exploits from the 5.1.1 jailbreak, how much would you estimate they’re worth?

Cyril: This is a difficult question to answer, but it's a lot.

Softpedia: Why did you say you would refuse even $1 million for the beta version?

Cyril: I wrote that, but it's not all about the money. We're doing this for the fame, of course. We're doing it for the people, because we like people having their devices jailbroken. This is what we're doing. This is what we like so this is not about money. That's why if the only thing we could get is to make people happy, this is enough for us.

Softpedia: When you first started to develop the jailbreaks, did you see it as a challenge or did you foresee a large adoption?

Cyril: No, at first I think we were doing that because we liked it. We like exploiting stuff, we like writing low level stuff and this is pretty fun to do. When I started helping the Chronic Dev Team in 2009 I did that because it was fun.

I had an iPod 2G, which is my nick, and it couldn’t be jailbroken. It was pretty much closed and Apple Store apps at that time were not really interesting and Cydia apps were really exciting. There were emulators, there were tweaks that we couldn’t find on the App Store. There were only a small number of applications in the App Store in 2009.

So when I started, it was to free my device, I wanted to tweak it, which I never did, by the way. But, yes, I started for fun.

Softpedia: How about you Nikias?

Nikias: Yes, it is a challenge. It's a personal interest to step over a certain level to achieve access to something that is actually restricted. It's actually fun, but... well it's also like a bit of science and you have to really put a lot of energy into it.

On the other hand, it's also nice to make other people happy by letting them use this. Jailbreak offers a wide range of possibilities for people doing things with their devices which they aren’t actually allowed to do. Like extensions for example, there are so many extensions, so many nice things you can do with your iPhone if you jailbreak it to enable more possibilities.

Softpedia:  Joshua, did you foresee a wide adoption?

Joshua: No, not really. At first it was just fun a hobby. I don't think anyone really expected us to find anything the first time, but we kind of did. I'm happy it’s gotten this big.

Nikias: I think it's also really interesting to see how many people are involved in the whole scene to develop tweaks and also to develop whole apps that don't require restrictions you have from the App Store.

OPK: There is a whole culture developed upon jailbreak. We’ve helped create this sort of a culture.

Softpedia: You are probably aware of the fact that your "products" are making Apple warranties void. Do you lose any sleep over the fact that you might damage a lot of devices if you don't get it right?

Joshua: Well, not their devices. Their data maybe.

OPK: It's always a concern, but we do our best to make sure that we’re not going to break anything that it's not recoverable.

Obviously, if you take a jailbroken device that is having trouble, say if the screen is flickering or something you take it to Apple and they notice that it’s jailbroken, they’ll hand it back to you and say “you’ve voided your warranty because it’s jailbroken.”

But if you restore the device, take it in with the same flickering screen, they’ll replace it. There is no way really anyone can tell it has been jailbroken.

Nikias: So actually no one should be worried about that.

Cyril: To break a device never happened in the past and it won't happen. It's not possible. Nikias: The design of the jailbreak makes it impossible to break the device.

OPK: People break devices, but I’ve never heard of anyone breaking a device because of a jailbreak.

Softpedia: What about this cat and mouse game between you and Apple? Did you get any phone calls from Apple telling you to stop?

Cyril: No, never happened. I have the feeling that Apple is in fact happy with the jailbreak. It makes a lot of advertising around their products and also we are like free researchers.

Nikias: Actually Apple should have to pay us because we help them to do real security research.

Cyril: I have people of Apple following me on Twitter. I exchanged some direct messages with them and they never said anything bad about jailbreaks. I think they are happy because we exist.

Softpedia: Do you hope to be on Apple’s payroll any time soon? Surely your expertise in compromising iOS poses great benefits for the Cupertino, California giant.

Nikias: It depends. I could imagine, but it depends on what they want us to work on. I mean, security stuff is actually what we do, so, if the offer is high enough, nobody would really say no. On the other hand, it's maybe a cut-off from the jailbreak scene.

I think the best example is Comex. He's still sort of active, but, well, he cannot really do anything because Apple is watching him. He's not allowed to do like "stuff," so that's the downside of this.

It would be a really difficult decision because we are so close together and if someone will just step out of the team and... I don't know, it would be hard. I think everybody would understand that I work for Apple, but, yes, they would also say that "it's really sad because we lose a big member of the team." Whoever it is, I'm not specially talking about me.

Cyril: I don't have exactly the same feeling about this. I'm a big Apple fan for a long time now, and I may be kind of egoist, talking about the team and other things, but if Apple would propose me something interesting, then yes, I would really be happy to work for Apple.

This is one of my goals in life. Even if it's not in the security field, even if it's in developing applications, or developing website, or anything involving Apple, would make me happy.

Joshua: I wouldn't want to work for Apple. I like more the hacking stuff really. I like it on this side of the fence.

Softpedia: What’s the general procedure when iOS 6 comes out?

Cyril: We will not give you the exact recipe, but we have other exploits that we won't release at any time. This is our secret. It allows us to inject stuff into new devices and to start dumping the memory. When we have the dumps, we look at different ways of finding the vulnerability.

Different people in the team work differently and this usually leads to finding vulnerabilities quickly. We find them in one month or two and then we start exploiting them. We start this process only when the final version of the system is released.

That's why we always have a delay after the firmware release to do a jailbreak. Because we need to be assured that what we do will work for sure, that they don't fix it in the beta 3 or beta 4, so we start only when the release is here.

Softpedia: What’s so special about the processors? Why was it easier to jailbreak iOS 5 on the A4 chip than iOS 5 on the A5 / A5X?

Nikias: Because for the older A4 devices we have still the Limerain exploit which allows us to boot unsigned ramdisks and whatever you need, and this actually allows you to make a tethered jailbreak for this device, which is really easy.

You have to adapt how you break the kernel because you want to run on this particular version of the iOS, but it's actually really fast because you have full access to the root file systems and you can modify anything.

This is no secret, this is known for a long time. This is the reason why it doesn't work with newer devices, because it's a bootrom level exploit that really allows to break the firmware signature checking.

Cyril: There's also one little problem with the A5 because we don't have a bootrom or iBoot exploit, we can't play with the AES shift to decrypt and then crypt back images. So we are not able to add the keys to decrypt the kernel or the file system of the device.

With the first version of Corona we had to find those secret tools we now have to enter into a device and the other things we need to actually do the jailbreak.

Softpedia: How would you assess the amount of knowledge gained from hacking Apple’s devices? Is it a more fulfilling experience than, say, hacking an Android smartphone?

Nikias: Yes, it is fulfilling hacking Apple’s devices and I think there's also a higher level of security features you have to break to jailbreak an iDevice compared to an Android device.

Cyril: Also, the big problem with Android today is that the market is really segmented into different devices and the main goal to rooting an Android device is to allow the user to install custom firmware on it.

And different devices lead to different vulnerabilities that could touch only a few individuals of the whole market.

So this way is not interesting to us because when you do something, when you spend hours to find vulnerabilities in a device, you only help 10,000 people, maybe 50,000 people, but not like in the Apple world where we help millions of people with our jailbreaks.

OPK: We would have to build a version for every handset, which would be a huge task.

Nikias: It would require so much work. An exploit for a particular device might be a lot easier, but if you want to support a wide range of devices, it's nearly impossible. There are different versions, different processors so it would be a very difficult task.

Cyril: Also, the goal is not the same. The only goal is to root the device so that you can update your Android to the next version because the vendor of your particular device didn't take the time to update. So, the goal is just not interesting.

In the Apple world, we do that for Cydia, tweaks and applications we can't see in the App Store. Everything is possible in the Android markets so it is not the same world, we can't compare them.

Softpedia: Right now Apple is not allowing anyone to develop antivirus software for the platform. Eugene Kaspersky himself said “It is much more difficult to infect iOS [than Android and Windows] but it is possible, and when it happens it will be the worst-case scenario because there will be no protection.” What’s your opinion on this?

Cyril: A virus may indeed appear on iOS in the future. One would need a lot of effort to achieve this and good knowledge of all techniques used by jailbreaks to circumvent code signing enforcements.

Apple can't allow antivirus software for iOS because it would need to let AppStore applications to hook the internals of the operating system. An antivirus basically controls what enters in the OS in order to eventually block it.

Allowing this would mean extending the current API to add these hooks, and there is a big risk that it would extend the attack surface at the same time.

Good thing for Eugene Kaspersky is that he could develop an antivirus for Cydia, that would protect jailbroken devices against security threats.

Nikias: There was one ... a worm with a strange picture, but it wasn't really...

Cyril: That was all about Cydia and SSH passwords. People could just connect through SSH using the default passwords on the devices. But this is not possible anymore and Cydia warned about that.

Right now I have a feeling that iOS is the most secure operating system in the world.

OPK: That worm only affected devices where the root password wasn't changed from the default. If you would set another root password, it would not work.

Softpedia: Would you state that an antivirus for iOS would be useless?

Cyril: Useless for unjailbroken devices, maybe useful for jailbroken devices because on Cydia there could be untrusted sources so people could install malware. I haven't heard of such incidents in the past few years, but it's possible. So yes, if I were Kaspersky, maybe I would try to write antivirus software and I would sell it on Cydia.

Nikias: If they were to develop an antivirus for unjailbroken devices Apple would have to allow Kaspersky to access a portion of the systems which they're not allowed to access because of Apple's policies.

OPK: I think they would develop their own, they wouldn't want anyone to go near it.

Cyril: Today, I think that Apple is not on the way of developing antivirus software. They just want to have the most secure operating system in the world. They keep adding security features to every major iOS version. With iOS 6 we're expecting to see the kernel address space layout randomization (ASLR) which will be a first for public operating systems.

Softpedia: Do you have anything to add?

Cyril: There's one important thing to say. We won't give up on jailbreaking iOS devices because this is too important for us and we already have a part of the jailbreak for iOS 6 and hopefully, we will be ready right on time for it.

OPK: Thanks to everyone for their support and #JBFTW!