For the first time in years, a hacker has managed to release a working public jailbreak for a fully updated iPhone. It means the phones can have unofficial software installed by users wanting to bypass Apple’s strict controls and potentially makes it easier for the handsets to be maliciously hacked.
First off, an iPhone jailbreak isn’t a Black Mirror-esque escape plan by the little people who live inside your phone and make it smart, but instead a term describing an attempt to modify an electronic device to remove restrictions imposed by the manufacturer or operator. The usual end goal is to let you install unauthorised software.
“For any device, the goal of a jailbreak is to find a loophole in coding to jump over any restriction that the manufacturer has put on it”, says Ayman El Hajjar, a lecturer in computer science and engineering at the University of Westminster. “Basically, what jailbreaking does is escalate privilege – it means it means the operating system security precautions are removed, and you are able to overcome them.”
First reported by Motherboard, the new jailbreak is centered around the SockPuppet vulnerability, found by Google hacker Ned Williamson. Apple first fixed the problem in iOS 12.3 but reintroduced it in the latest version of its code, iOS 12.4, which was released in June. In doing so, Apple has inadvertently made it easier to jailbreak and hack its own product. This weakness let an attacker corrupt the phone’s kernel memory, allowing a security researcher, called Pwn20wnd, to develop and publish an iPhone jailbreak.
This is a big deal for Apple, which offers a restricted user experience – apps on its app store are subject to rigorous testing and restrictions, for instance – in return for high security. The last time the newest version of iOS was open to a jailbreak vulnerability was back in 2015, when iOS 9 was prominent, and only for seven days.
“When it comes to Apple they have a very strict strategy in terms of which applications that allow an app store and which applications they don’t,” says El Hajjar. “I use an iPhone and I sometimes find the security measures are too much for an average user – every time you want to do something it requires a password. Apple tries to sell its iPhone as a device that is very secure.”
This begs the question then – why would someone want to jailbreak their iPhone in 2019. There are actually quite a few reasons. From a basic user perspective, jailbreaking your phone can open up a host of new possibilities. “There’s quite a few benefits – I use an open source operating system because it gives me the flexibility to do whatever I want with my operating system,” says El Hajjar. A phone gains this flexibility after its been jailbroken. “It allows you to really customize your phone and use it to its full abilities,” he says. (iOS users, for instance, are already redesigning the look of their iOS home screens).
There are also cybersecurity benefits to this slip-up, explains Thomas Reed, director of Mac and mobile at Malwarebytes. Security researchers need to be able to jailbreak iOS devices in order to study them. (Apple had said this month that it would give out less restricted iPhones to security researchers as part of its bug bounty programme).
“For those researchers, this slip-up by Apple is a huge boon, allowing them to jailbreak and study the most up-to-date version of iOS available,” Reed says. “Although such research can obviously result in malicious activity, it is also the source of many of the bug fixes in every iOS release, as security researchers report issues to Apple through the bug bounty program.” Companies such as Zerodium offer bounties worth millions of pounds for discovering these exploits.
The exploit in iOS 12.4 affects even law-abiding iPhone users. First off, be careful what apps you download. “I hope people are aware that with a public jailbreak being available for the latest iOS 12.4 people must be very careful what Apps they download from the Apple AppStore,” said security researcher Stefan Esser on Twitter. “Any such app could have a copy of the jailbreak in it.” This would theoretically allow hackers to take control of your iPhone.
For instance, Pwn20wnd told Motherboard that a hacker ‘could make a perfect spyware’ exploiting the bug to steal your data. However no examples of this have been found in the time since the vulnerability was found in the code. Apple has not responded to media requests for comment about the problem but is likely to fix the issue in a release of iOS 12.4.1 in the coming days.
And what about the renegade Apple fans itching to jailbreak their own iPhone? Well, beyond the chance of bricking your phone and voiding your warranty there are multiple dangers in taking this path: “If you’re an average user, you should definitely avoid jailbreaks at all cost,” says Reed. He says that jailbreaking your phone removes its security, putting you at a much higher risk of attack or malware, and that the most common ways iOS devices get infected are through targeted nation-state attacks or by jailbreaking.
El Hajjar agrees. “I personally wouldn’t advise jailbreaking phone,” he says. Any jailbroken phone can’t be updated with Apple’s security upgrades, leaving it vulnerable.
“It’s also worth noting that Cydia Impactor [a software needed to carry out the jailbreak] requires that the user enter their Apple ID credentials in the app in order to load the .IPA file onto the device,” says Reed. “It’s never a good idea to provide your Apple ID credentials to any app, since those credentials are the key to your entire Apple life.”
There have been cases, he explains, where those credentials have been used to lock devices remotely, via Apple’s Find My service, with a ransom message displayed. “I know of at least one person whose iMac was essentially bricked because she no longer had the receipt to prove ownership,” he says. “Apple can unlock a remotely locked device, but because of the likelihood of theft in such cases, they require proof of ownership.”
More great stories from WIRED
😡 TikTok is fuelling India’s deadly hate speech epidemic
🚀 The staggering power of Russia’s top-secret nuclear rocket
🍫 The foods you’ll really need to stockpile for no-deal Brexit
♻️ The truth behind the UK’s biggest recycling myths
🤷🏼 How is the internet still obsessed with Myers-Briggs?
📧 Get the best tech deals and gadget news in your inbox