14 DAY TRIAL // The JailbreakMe service is exploiting two previously unknown vulnerabilities in Apple's iOS. However, what impresses security researchers the most is how the exploits are chained together to bypass the entire security architecture of the operating system.
JailbreakMe.com is a free service, which iPhone, iPad and iPhone touch owners can use to unlock their devices to allow non-Apple-approved applications to run. This process is known as “jailbreaking” and used to require technical knowledge that is beyond the level of a common user.
However, the method used by JailbreakMe requires nothing more than visiting the website from the device and accepting the operation. “Starting to get a handle on jailbreakme.com exploit. Very beautiful work. Scary how it totally defeats apple's security architecture,” commented renowned Apple hacker Charlie Miller on Twitter, shortly after the service was launched.
Miller has since finished reverse-engineering the jailbreaking procedure and is even more impressed. “It’s two exploits, chained together, and the one exploit has to run inside the payload of the other. It’s pretty cool,” the hacker told Forbes. He also named it the most advanced iPhone exploit ever to be published.
The first JailbreakMe exploit targets a vulnerability in the iOS's PDF reader component. This has the purpose of bypassing Data Execution Prevention (DEP), a security feature designed to make it significantly harder for attackers to execute arbitrary code.
But with DEP defeated there's another problem – most iPhone applications, including vulnerable the PDF reader component run in a sandbox. Programs running like this have access to a very limited set of resources and their successful exploitation also leaves the attacker with limited possibilities in what they can do. Escaping from a sandbox is more difficult than defeating DEP, but nevertheless the JailbreakMe author managed to do it by exploiting a second vulnerability; this time in the I/O Kit, the framework handling device drivers.
However, while this particular hack is not malicious, security researchers are concerned that ill-intent hackers might reverse-engineer the method and used it to steal sensitive data from devices. "To date, Apple's security approach has only involved controlling applications in their store so they can provide a safe environment, but this incident could bring the perception of Apple as a virus-free platform to an end. If Apple does not design security into the platform, this incident may only be the tip of the proverbial iceberg," Chester Wisniewski, a senior security advisor at Sophos, noted.
You can follow the editor on Twitter @lconstantin