iPhone jailbreak exploit 'sweet' and 'scary,' says researcher

Perfect for drive-by attacks that hijack unsuspecting iPhones and iPads, says noted bug finder

The exploit used to jailbreak Apple's newest iPhone operating system is both "beautiful" and "scary," a noted vulnerability researcher said Monday.

And it's possible that criminals will use it to hijack anyone's iPhone, iPod Touch or iPad just by getting them to visit a malicious Web site.

That's Charlie Miller's take of the flaw in the mobile version of Apple's Safari browser that was used by someone identified as "comex" to jailbreak Apple's iOS 4.0.1.

"Jailbreak" is the term that describes the practice of hacking an iPhone to install apps not authorized by Apple.

Miller is a well-known security researcher with a reputation for hacking Macs and iPhones. A three-time winner at the annual Pwn2Own contest, and one of the three researchers who uncovered the first iPhone vulnerability in July 2007, Miller also demonstrated last year how to compromise an iPhone simply by sending a text message.

But he tipped his hat to comex, the Safari flaw comex found and the exploit the researcher crafted.

"Very beautiful work," Miller said of the exploit in a Twitter message Monday. "I'd have traded you 5 [exploits] for this exploit," he wrote in a follow-up tweet. "It's sweet."

Miller said he does not know comex, or the researcher's real name.

JailbreakMe 2.0 can be installed by browsing to the jailbreakme.com site with an iPhone, iPod Touch or iPad running iOS 4.0.1 or earlier. Moving the slider to the right kicks off the jailbreaking process.

"Not only does this elevate to the root, giving you complete control of the iPhone, but it breaks out of the sandbox," said Miller in an interview Monday, referring to the isolation technology designed to block rogue code from escaping the mobile Safari browser.

"There's no shell on the iPhone, so [comex] had to do all that himself to get control," Miller continued. "He elevated to root, turned off all code signing, broke out of the sandbox...all in the payload of the exploit.

"And it works every time. Not just a few times out of a hundred. But every time."

As proof, several people, including Miller, have posted photographs of jailbroken iPhones in Apple's own retail stores, the devices hacked by customers who browsed to jailbreakme.com.

In one of his tweets, Miller added, "Scary how it totally defeats Apple's security architecture."

1 2 Page
FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies