iOS jailbreak exploit published by Google

The story’s not quite as bad as it sounds at first – a bang-up-to-date iPhone is already safe against this exploit.

But it’s still an interesting tale, so here goes.

Google Project Zero bug-hunting expert Ian Beer recently registered an account on Twitter, and his first tweet, back on 5 December 2017, has already clocked up 752 retweets and more than 1800 likes. [2017-12-12T12:38Z]

Beer said:

If you’re interested in bootstrapping iOS 11 kernel security research keep a research-only device on iOS 11.1.2 or below. Part I (tfp0) release soon.

It turns out he was referring to exploit code that takes advantage of a vulnerability dubbed CVE-2017-13861, patched by Apple in its recent iOS 11.2 update, published on 2 December 2017.

That was the update in which Apple fixed the KRACK Wi-Fi vulnerability for users of older iPhones, having managed to patch it only for the iPhone 7 and later to start with.

It turns out, however, that KRACK wasn’t the only reason to apply the iOS 11.2 patches.

Apple wasn’t joking when it described CVE-2017-13861 in the iOS 11.2 security bulletin with these words:

Impact: An application may be able to execute arbitrary code with kernel privilege.

Description: A memory corruption issue was addressed with improved memory handling.

Beer has now gifted to the jailbreaking community a proof-of-concept for this very bug, proving that it’s not just a theoretically-exploitable vulnerability.

Of course, if you’ve already updated to iOS 11.2, you’ve closed this particular hole, so you’re safe against Beer’s attack code.

Jailbreakers often run a few versions behind the bleeding edge, specifically to leave known vulnerabilities open in the hope that exploits will later be found – with Apple’s strict walled garden approach to the iOS ecosystem, updates are designed to be a one-way street so that you can never later downgrade.

So, if you keep bang up to date with Apple’s patches, you’ll be more secure in general, but at the cost of future flexibility if you suddenly decide you want to join the jailbreaking scene, in a bit of a security Catch 22.

Jailbreaking has a bad name, because it’s associated not only with freedom but also with piracy, unlawful copying and the purposeful bypassing of security that was originally put in place to protect intellectual property.

For the record, we don’t recommend jailbreaking, at least for phones you use in a work environment, and indeed our Sophos Mobile Control product provides a way to keep jailbroken and otherwise non-compliant devices off your organisation’s network.

For a busy system administrator, jailbroken iPhones (and their countercultural cousins, rooted Android phones) are yet another layer of security uncertainty that’s easier to live without, especially in a world where Europe’s new GDPR framework is fast approaching.

Having said that, there are numerous perfectly good reasons for jailbreaking, such as:

  • Repurposing an old device after Apple stops supporting it.
  • Applying a third-party security fix if independent researchers get to it before Apple.
  • Enjoying yourself because, hey, it’s your phone and you paid for it out of your own after-tax income.
  • Conducting security research – like the work Ian Beer does – that requires debugging access that Apple won’t give you out of the box.

So, although we advise against jailbreaking in general, we’ll repeat what we’ve said before:

As always[…], “Patch early, patch often.”

But we nevertheless wish that Apple would come to the jailbreaking party, even though we’d continue to recommend that you avoid untrusted, off-market apps.

We suspect that Apple would benefit both the community and itself by offering an official route to jailbreaking – a route which could form the basis of independent invention and innovation in iDevice security by an interested minority.

What to do?

We said it above: patch early, patch often.

Don’t hang back in the hope of later jailbreaks unless you have a well-formed reason for doing so.

There’s also the intriguing question, “Should Google Project Zero have dropped this exploit so soon after the update?”

Ironically, keeping up to date on Apple’s iOS platform is much easier than in Google’s Android world, where hundreds of different phone vendors, suppliers and carriers all need to knit their own updates once the Android source code is patched.

Not every iOS user is up-to-date, however.

So, even though Ian Beer has done the jailbreaking and the research community a favour, Google’s proof of concept exploit could also be seen as a bit of a Christmas present to the crooks out there, giving them a vector to attack the 30%-40% of Apple iOS users who aren’t up-to-date yet.

Where do you stand on this? Let us know below…

(You may post anonymously by leaving the name and email address details blank when you submit your comment.)