The Lookout Blog

New Way to Jailbreak iPhone Opens the Door to New Security Threats

Since the first version of the iPhone—and now the latest versions of both the iPhone and iPad—users have used a technique called jailbreaking to override the software sandbox on their devices in order to gain full control of the operating system and install applications that Apple has not approved. This week a site called jailbreakme.com made news by enabling users to jailbreak an iPhone or iPad in a matter of minutes by simply visiting a web page. The latest jailbreak technique has resulted in significant security concerns because the jailbreak uses a pair of recently discovered vulnerabilities on the iPhone and iPad itself (iOS) in order to perform the jailbreak on the device.

While there have not yet been reports of these exploits being used maliciously, the security implications are significant. Now that the exploits are publicly known, they can be easily modified for malicious purposes, creating a big potential risk for iPhone and iPad users. All that is needed to exploit an iPad or iPhone is for the browser to visit a maliciously crafted web page; from the PC world, we know that there are a variety of ways to do this. For example a bad actor could propagate an email or SMS that encouraged users to visit a link that would result in their iPhone being exploited without their knowledge. While the currently-known exploit in the wild jailbreaks your phone, the resulting vulnerability allows an attacker full access to do anything.

What can attacker do with full access (called “root”) to your phone? Perhaps the least-nasty result is that your phone becomes jailbroken; however, full access allows attackers to do virtually anything on the device. It is possible for malicious code to steal data, capture online banking and account credentials, make charges to your phone bill, and do anything else your phone is capable of. Apple has been quoted saying they are aware of the issue and are working on a fix.

How does this affect the average iPhone or iPad user?

First, you shouldn’t jailbreak your phone unless you have experience securing Unix systems. If you don’t know what this means, don’t even think about jailbreaking your phone.

Second, to avoid having your phone exploited without your knowledge, follow these tips:

1. Don’t visit any suspicious web sites from your iPhone or iPad.
2. If you receive an email or text message from someone you don’t know, avoid visiting any links they ask you to visit.
3. Don’t open any PDF files from people you don’t know on your iPhone or iPad.
4. Pay attention to any new attacks that are discovered in the wild.
5. Be sure to update your phone as soon as Apple makes a patch available.

Finally, if you do want to jailbreak your phone, make sure to install this tool to warn you every time an application on your phone attempts to open a PDF.

Be sure to check back often, as we’ll be posting updates as this security issue develops.