X

iPhone jailbreak could double as security hole

Downloading PDFs from a certain Web site could allow a malicious program to have unrestricted access to iOS-based devices.

Erica Ogg Former Staff writer, CNET News
Erica Ogg is a CNET News reporter who covers Apple, HP, Dell, and other PC makers, as well as the consumer electronics industry. She's also one of the hosts of CNET News' Daily Podcast. In her non-work life, she's a history geek, a loyal Dodgers fan, and a mac-and-cheese connoisseur.
See full bio
Erica Ogg
3 min read
The new browser-based iPhone 4 jailbreak.
The new browser-based iPhone 4 jailbreak. Steven Musil/CNET

The jailbreak for the iPhone released over the weekend may have exposed a flaw in the iPhone's mobile Safari browser.

Unlike previous jailbreaks, which required the iPhone to be connected to a computer to run the software update, the latest jailbreak, posted by the iPhone Dev Team at Jailbreakme.com, is accomplished via the Safari browser loaded on the device.

But the fact that it can be performed just through Safari, and the way it's done, points to a larger problem, as several CNET readers and listeners wrote to us to point out Tuesday. It means potentially anyone could control your iPhone (or iPod Touch or iPad) just by visiting a certain Web page. A site can present the exploit as a simple PDF link, which requires no explicit user action short of clicking a link. It can then launch an exploit that takes advantage of the way the PDF viewer loads fonts.

The end result is that the program can then have unrestricted access to your iPhone or iPad or iPod Touch on virtually all versions of iPhone firmware, short of the iOS 4.1 beta, currently in the hands of developers for testing.

When reached for comment, an Apple representative said Apple is "aware of the reports and is investigating." We'll update if we hear more.

"It's really serious," said Charlie Miller, a principal analyst at Independent Security Evaluators, who was the first person with a public remote exploit for the iPhone.

There are two distinct vulnerabilities and two distinct exploits, he told CNET. One flaw is in the way the browser parses PDF files, enabling the code to get inside a protective sandbox, and the other hole allows code to break out of the sandbox and get root, or control, privileges on the device, he said.

"Basically, the way the iPhone is made to be secure is through several layers of defense, so even if someone were to compromise your Web browser, it limits what they can do," Miller said.

"There are a lot of people known for doing iPhone research, but I've never heard of this guy," Miller said, referring to whoever created the iPhone 4 jailbreak. "It goes to show you that for every researcher who is known, there are a bunch of others who know the same stuff and probably more"--and whose intentions might not be honorable, he said.

While this exploit is not malicious, other hackers could take the software, reverse-engineer it, and then release an exploit that takes control of the device for nefarious purposes.

"Vulnerabilities with reliable exploit code tend to get reused and repurposed for other attacks/malware/uses," David Marcus, security research and communications manager at McAfee, wrote in a blog post.

"This should serve as a wake-up call for anyone with a mobile device: remote exploitation is real and here to stay," he wrote. "For now, these vulnerabilities are being used only (as far as we know) to jailbreak iPhones, but they could be used to do many other things to iPhones and their owners around the world."

CNET's Elinor Mills contributed to this report.

This post was updated at 3:28 p.m. PDT with McAfee comment, at 12:51 p.m. PDT with Miller comment, and at 12:05 p.m. PDT with more details.