The Mac Security Blog
Apple has released updates for its iOS devices to fix the recently discovered vulnerability that allows remote jailbreak without user intervention. The gravity of this flaw was such that Apple rushed out the fixes, which resolve two issues:
Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution
Malicious code running as the user may gain system privileges
More information is available from Apple’s Security Updates page.
These updates affect the iPhone and iPod touch running iOS 4.0 or later, and the iPad, running iOS 3.2 or later. The updates are only available through iTunes, when the devices are connected to a computer.
The Library of Congress has issued a statement that allows the breaking of copyright protection in certain cases, as part of the fair use doctrine of copyright law. This statement covers the protection applied to a smartphone to limit access to the file system and prevent users from installing software, among others. It is this latter protection that prevented users from having the right to jailbreak iPhones.
As the Librarian of Congress says,
Persons who circumvent access controls in order to engage in noninfringing uses of works in these six classes will not be subject to the statutory prohibition against circumvention.
There are six “classes of works” where such circumvention is now allowed:
- Movies (or TV shows) on DVDs, protected by CSS.
- Computer software used on wireless telephone handsets, for questions of interoperability.
- Computer software circumvented to access a specific type of wireless network.
- Video games, if such circumvention is performed for testing, security audits, etc.
- Computer software protected by dongles which are damaged or obsolete (i.e., no longer compatible with current hardware).
- Ebooks that prohibit text-to-speech features on hardware. (Note: there is a discrepancy between the six classes presented in the Library of Congress’s statement and the full document from the Federal Register linked to in the next paragraph. In the latter document, this specific case, the text-to-speech issue, is listed as being refused.)
It’s the second class that affects the iPhone, and other smart phones, as well as the third case. (A complete text of the ruling from the Federal Register is here in PDF form. It more specifically addresses the issue of jailbreaking and the iPhone.)
Apple has issued a statement regarding this decision:
Apple’s goal has always been to insure that our customers have a great experience with their iPhone and we know that jailbreaking can severely degrade the experience. As we’ve said before, the vast majority of customers do not jailbreak their iPhones as this can violate the warranty and can cause the iPhone to become unstable and not work reliably.
We have often stressed that jailbreaking is a risky procedure, irrespective of any warranty issues; it can open up an iPhone or other device to security threats. While it is now considered legal in the US, it still carries a broad number of risks, and we still recommend that users do not jailbreak their iPhones.
The latest version of Spirit, a tool to jailbreak the iPad, iPhone and iPod touch, has been released. It requires a device running firmware 3.1.2, 3.1.3, or 3.2. Described as a beta, this tool may cause problems, but it installs Cydia, the program used to access non-Apple-approved applications. It does not, however, unlock iPhones for use with other phone companies than those approved by Apple.
We’ve said it here many times: jailbreaking is dangerous, and opens up iDevices (is that a generic term that will save us writing iPad, iPhone and iPod touch every time?) to security risks. We’re sure many iPad owners – more than 1 million so far – will want to try this out to open their iPads up to more software. Be careful; while there’s less of a risk with an iPad (or an iPod touch) than an iPhone, security issues still exist. If you use your iPad in a public area, via wifi, it could be vulnerable if it is jailbroken.
The Redmond Pie website is reporting that Apple may be banning jailbroken iPhones from the App Store. Two people have reported that their iPhones have been banned for “security reasons”; they discovered this when trying to connect to the App Store.
According to the screenshots they have provided, the Apple ID itself is banned, which means that those users are most likely banned from accessing the App Store using iTunes as well. It’s not clear if their iTunes Store accounts are totally blocked, or if this just applies to iPhone app purchases.
Since these reports are merely anecdotal for now, we will have to wait and see if more users of jailbroken iPhones are blocked from the App Store before being able to confirm this. It is possible that these “security reasons” are related to other issues, such as a credit card fraud probe of the iTunes Store, or a similar issue regarding fraudulent gift cards, which has been circulating for some time.
We have discussed the risks of jailbreaking an iPhone many times, notably in our Year in Mac Security 2009 report. It seems that Apple, unable to prevent jailbreaking as such, is shutting a different door, which may make people think twice before jailbreaking their phones.
[We could have illustrated this article with the picture of Rick Astley that is applied as an iPhone wallpaper by this worm, but we felt you've probably seen enough of him.]
An iPhone worm, dubbed “ikee”, has been found in the wild affecting jailbroken iPhones (iPhones hacked to allow installation of software other than through iTunes). The worm takes advantage of a weakness in jailbroken iPhones whereby ssh (secure shell) access is available with a widely-known default password. (Users who have changed the password are not vulnerable.) We recently discussed a Dutch hacker who was taking advantage of this same weakness, one which can allow full access to the contents of the iPhone.
This worm, however, was meant as a “prank” and installs an image of Rick Astley as wallpaper, then turns off ssh (thereby making the “infected” phone safer), before sniffing around to try and find other phones to infect. Created by Ashley Towns, an unemployed Australian programmer, this “prank” seems to have gotten a bit out of control. While it can’t infect all jailbroken iPhones – some phone networks use NAT (network address translation) that prevents direct access to an iPhone using an IP address, and others block ssh packets on their networks – the worm seems to have spread outside its native Australia.
This page discusses the worm, and this page is an “interview” with Ashley Towns, who seems to not understand the extent of his little joke.
One way to protect against this exploit, as well as others that take advantage of the ssh weakness, is to change the root password for the iPhone. This page explains how to do this.
Intego VirusBarrier X5, with the latest virus definitions, detects this worm as iphone/sshgate.a to sshgate.d (there are currently four variants).