The group behind iOS jailbreaking tool Unc0ver say they have found a zero-day vulnerability in the kernel of iOS 13.5, exploited it and packaged it up into the tool to deliver root access to all iPads and iPhones that operate on iOS 11 — released in late 2017 — or higher.
Jailbreaking is escalating privileges on an iOS operating system with the aim of getting root access, and therefore complete control, over the desired device. This lets security researchers conduct OS kernel security research, hobbyists add bespoke features, and bad actors do their worst.
(Some, as security firm Duo notes, do it simply as a matter of “personal philosophy” including under the principle that if you own something, you ought to be able to tinker with it).
Apple typically makes devices hard to access by researchers. Debugging work requires using specialist cables and developer-fused iPhones which can go for $2,000 and $20,000 respectively on the grey market. It is suing Corellium, an iOS virtualisation provider, for breach of copyright.
Unc0ver say this is the first jailbreak tool featuring a zero-day (previously unknown/unreported vulnerability) since 2015. On May 23 the hacker who uncovered the vulnerability, Pwn20wned, part of the Unc0ver team, said users had crashed its website in a hurry to get their hands on the tool.
You guys literally put the website down…
— @Pwn20wnd (@Pwn20wnd) May 23, 2020
Other jailbreak tools use one-day exploits which, according to Unc0ver, were either patched in the next beta version or in the hardware.
As this exploit is a zero-day, in that Apple found out about the bug through the tool’s release, it may be a while before the vulnerability is fixed.
It is normally advisable to proceed with caution when using this sort of tool as it will leave the device open to malware, however the Unc0ver jailbreak “preserves security layers designed to protect your information and your iOS device by adjusting them as necessary instead of removing them” according to a statement released by the hacking team.
There has been a steady drumbeat of criticism building around iOS security in recent months, with zero day broker Zerodium’s CEO among those making his views known in no uncertain language.
iOS Security is fucked. Only PAC and non-persistence are holding it from going to zero…but we're seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let's hope iOS 14 will be better.https://t.co/39Kd3OQwy1
— Chaouki Bekrar (@cBekrar) May 13, 2020
Just last month an unpatched “zero-click” vulnerability in iOS’s email system was uncovered and exploited in the wild targeting high profile individuals in Germany, Israel, Japan, the US and Saudi Arabia.
In August last year Google’s Project Zero and Treat Analysis group released research detailing a five unique iOS exploit chains, using a total of 14 vulnerabilities; seven for Safari, five for the kernel and two sandbox escapes.
“I have tested ‘Unc0ver’, it works on my iPhone 6s and iPhone 7 and takes less than 10 minutes. Any person who wants to do this, has a Mac and can follow some basic instructions will be able to do this”.
Businesses should be aware of the threats from jailbroken devices — particularly given the WFH/BYOD environment — which allow users to install tools/applications from unofficial app stores, etc. Many tools let CISOs and their teams detect jailbroken devices and automatically un-enroll them.