IT Support: Security Hole in Apple's iOS?
Posted by Chad Weaver on Fri, Aug 06, 2010
Alright, I couldn’t resist the call for the new iPhone all that long, it is just so tempting. My work in the IT support field leads me to live a "gadget-lover" lifestyle, and, well, it is really cool too. Given all that, apparently the demand is still far too great for me to have my shiny new toy in my hand. Good thing that isn’t the topic for the day, instead, while related, the topic is much more sinister.
Today we are going to talk about something that is very important to understand, and something to be aware of with any iPhone running the newer iOS. That name in itself is a topic for another blog, but, being a Cisco guy, I can appreciate the fact that Apple licensed that name from Cisco - the name of Cisco’s operating system, but I digress. So, given that I have a shiny new untouched iPhone with my name on it out there, being constructed in some country somewhere as we speak, I thought I would check out something I have been hearing so much about; Jailbreaking. Now, before it became “legal” recently, I was not going to give it a try. Remember it voids your warranty, but since I forked out for a new one already, I figured why not.
I have been hearing about the website Jailbreakme, which promises to painlessly jailbreak your iPhone, over the web, with no software for you to find and try to deploy through iTunes. The developers have found a security flaw in Apple's Mobile Safari browser. When opening a PDF file, with a specially designed font file, it can arbitrarily execute any code it desires on your phone, circumventing your security. I figured, "what the heck", I went to their website and timed it. The entire process took under 5 minutes over 3g, and my iPhone was jailbroken.
Now, to the scary part, if it’s that easy to execute code that goes against the entire design of the iOS and make such substantial changes to the system, what is to prevent malicious use of this flaw? As it stands right now, no such known PDF files exist in the wild, but I believe it’s only a matter of time. For an even more frightening piece of information the only way to prevent your phone from automatically opening PDF files, and therefore protecting you from hacking attempts, is to jailbreak your phone and install an application that will prompt you when any PDF file is attempting to open, giving you the chance to say "no."
I believe this hole needs to be fixed, and it needs to be fixed now. Apple says they are aware of this issue, and are researching it. I believe that we will see a patch that addresses this in the very very near future, but until then, be careful what websites you visit on your iPhone. As for what I changed or installed on my jailbroken iPhone; nothing. I guess I am just not that cool. I did it more in the name of sciencem, rather than for any desire for an illicit application.
