www.PhilipHall.com

Several people have been asking about the current state of play with regards to iOS 4.0.2 and if the iPhone Dev Team are going to release a 4.0.2 specific jailbreak.

For those not aware, the 4.0.2 iOS release fixes two major vulnerabilities which essentially allow a web based exploit – as used by www.jailbreakme.com. This method could be used for other malicious purposes other than a iPhone or iPad owner wishing to jailbreak their own device.

In a recent blog post, the Iphone Dev Team have announced that they are not going to release a 4.0.2 version, but instead will be focussing on iOS 4.1, a firmware currently in its final beta stages.

    If the cat & mouse game escalates too quickly, especially during beta FW periods, nobody but Apple benefits. For this reason, there won’t be a 4.0.2/3.2.2 jailbreak specifically during the period where 4.0.2/3.2.2 is the latest public release. At best, some future 4.1x FW jailbreak *may* be compatible with 4.0.2/3.2.2 (but don’t count on that).

The iPhone Dev team also use a quote from War Games to explain their decision, and added a clip from the movie!:

The only winning move is not to play.

It’s important to note that iOS 4.0.2 can still be jailbroken using the Rednsn0w beta tool.

There’s an interesting new and scary product on the market called the “Apple iPad Spystick USB” made by Brick House Security. By the very nature of it’s title I’m sure you can guess what it can be used for….

Essentially this little thing once plugged in to an iPhone can recover data (included deleted data) from the device.

 Here’s a quick overview of some of its features:

• Get access to deleted information
• Download text messages and view calls made
• Recover deleted contacts and calendar items
• View pictures and other multimedia
• Get access to map history to see locations searched on the iPhone’s map with exact GPS coordinates
• Get access to notes, voice memos, multimedia files, and dynamic text data
• Downloading data is as simple as attaching the iPhone and iPhone Data Recovery Stick to a computer and pressing start
• iPhone information is saved on any computer and can be moved to other drives as a regular file
• Looks like an ordinary USB flash drive

One key thing to note is that this product only currently works with iPhones running an older version of the iOS – namely iOS 3.2.1 and earlier. There are rumours of an updated device which will work with the very latest iOS4.0.2, but that’s just hearsay for now!

Last week, two serious vulnerabilities were found in the Apple iOS running on iPhone 3G, 3GS, 4, Apple iPads and iPods, which could be exploited by remote attackers to take complete control of a vulnerable device.  Apple have now released an update to fix these vulnerabilities.

The first vulnerability is caused by an integer overflow error in the kernal used for handling IOSurface properties, which allows an attacker to gain elevated priviledges and bypass Apple security sandbox restrictions. The second is caused by a memory corruption error when processing Adobe PDF Compact Font Format (CFF), which allows an atttacker to execute arbitrary code. This can be done by tricking a usser into visiting a specially crafted web page using Mobile Safari. 

The jailbreakme.com web site uses these methods to remotely jailbreak Apple devices. This is done by redirecting the browser to a specific PDF exploit file crafted for each Apple device model / version, and then a payload is executed. A second stage payload then provides root priviledges for the jailbreak to complete.

This was probably the most serious of vulnerabilities discovered on the Apple OSX to date - and Apple have been quick to respond to this issue.

Users should update their devices as soon as possible:

Apple iPhone and iPod touch – Upgrade to iOS version 4.0.2 using iTunes:
http://support.apple.com/kb/ht1414

Apple iPad – Upgrade to iOS version 3.2.2 using iTunes:
http://support.apple.com/kb/ht1414

It’s important to note that it is still possible to jailbreak a device using the more traditional redsn0w method – as the release from Apple only fixes the web based jailbreak process.

This can be done using the Redsn0w 0.9.5 beta 5 tool.

As I’m sure you’ve seen in the press recently, there’s been a lot of news relating to iPhone 4 web based jailbreaks, the legality of the jailbreak process, and questions on whether people should go down this path and jailbreak their much loved iPad or iPhone device in the first place. 

Most people jump straight in to jailbreaking – as they are fully aware of the advantages / pros of jailbreaking their iPhone or iPad device, but do so without being aware of the potential disadvantages / cons. Therefore, before you consider going down either path, I present you with the Jailbreak challenge…

The Jailbreak Challenge:

The challenge is for you to read the complete list, and then give me your vote at the end as to whether after reading all the pros and cons you would consider jailbreaking your iPad or iPhone or not. I’ve tried to be as neutral and unbiased as possible, but factual in the points discussed. I’ve tried to find as many valid pros and cons as possible, and have summarised all of these in a list below. 

Rather than provide a list of pros followed by a separate list of cons, I’ve combined them into one alternating list. Reasons why people jailbreak are highlighted in red, and the reasons why people don’t do this are in blue.

Please note – I do not personally encourage anyone to jailbreak their Apple device, however I wish to further understand the drivers as to why people choose to do so in the first place. The intent of this challenge is to take the results, and use them to make further recommendations from an iPhone & iPad enterprise adoption perspective:

• Jailbreaking enables an iPhone or iPad user to break the baseband of the device, ultimately allowing them to use the iOS device on any mobile phone carrier of choice. This is more relevant to US users, as currently there is only one carrier – AT&T. To those in Australia extra with multiple providers and unlocked phones, this is not such a big deal.
• Once an iPhone or iPad is Jailbroken, a user can then install any applications or make any modifications to the operating system & existing apps.  A user can modify / remove security controls such as the “Passcode-lock”, “Auto-lock” etc thus weakening the security of the device and access to it.
• Jailbreaking is even easier than ever. You don’t even need to Jailbreak using the traditional method (by restoring the iPhone / iPad and installing a modified version of the iOSX) – you just need to visit jailbreakme.com on the device you wish to jailbreak. Only takes a few minutes using this process and anyone can do it.
• Because there is no control or vetting of applications installed on a jailbroken device, there is potential for malware or rouge apps to be installed and run. This increases the risk of a user installing a rogue / bad app, or malware infecting a device as the security features are broken. An example of this is where an iPhone worm propagated through jailbroken iPhones. If you consider the various personal bits of data stored on each device, you wouldn’t want a rogue app to have access to this data or to use your data / device for malicious purposes.
• It gives you freedom to install any iPhone / iPad applications you like including apps that haven’t been reviewed or approved by Apple.
• The app store has lots of variety and various content negating the need to jailbreak and install ‘alternate’ apps (e.g. via Cydia). Those who are real tech heads might disagree – however if your the typical end user – aren’t the majority of your needs catered for (and yes I know you have to pay!)?
• When jailbroken, you can fully customise your iPhone / iPad, including changing the look and feel of the interface, sounds, mods, utilities etc.
• Jailbreaking voids your warrantee with Apple – and they may not assist with any support issues if a jailbroken version of operating system is found on the device. Obviously you could restore your device back to it’s original non jailbroken configuration, however for those who have jailbroken but don’t know how to do this, it may be a concern.
• Jailbreaking breaks the security features of the device so you can run illegal / pirated iPhone applications. This is obviously illegal – but another reason why some people choose to jailbreak.
• Now that iPhones & iPads are more popular, they have become an increasingly larger target for hackers. More people are therefore trying to find security vulnerabilities with iPhones and are becoming an increasingly large malware target.
• Apple are too restrictive with regards to the handling of the app store, censorship and which applications are approved. Jailbreaking gets around this limitation.
• You will not be able to install iOSX updates as they come out, as you will have to wait for the latest iOSX release to be jailbroken. Usually iOSX updates provide both functionality updates as well as fix security vulnerabilities. You don’t get either of these until you upgrade and therefore are potentially vulnerable to the security holes.
• In the US it is now legal to jailbreak an Apple iPhone or iPad device. Although this is kind of irrelevant (as most people don’t care if it’s legal or not) the recent press coverage and interest in this topic may encourage users to do so.
• Depending on the tool used to jailbreak and the level of technical competency there is potential that the end user may ‘brick’ their iPhone or iPad, whereby it is unusable and cannot be restored to it’s original unmodified condition.
• Potential to write your own code and run it on your own iPhone / iPad seeing as there is no control of sandboxed secure apps.
• Jailbreaking impacts the stability of the iPhone / iPad. Some jailbreak OS users experience unusual issues with the device - ranging from apps freezing, call drop outs, unexpected reboots, and general instability.

So what’s your vote?

Now that you’ve read the entire list above – would you jailbreak your new Apple iPhone / iPad or not?  Use the comments link on this page to vote:

“YES” – I’D JAILBREAK

or

“NO” – I WOULDN’T JAILBREAK

and feel free to add any further comments or feedback.

My main concern is that either way – there is little any enterprise who has adopted Apple devices into their corporate environment can currently do to prevent their staff from jailbreaking devices, and modifying / removing security policies implemented in order to protect the enterprise in the first place.  An end user might not care – but the enterprise surely would?

It will be interesting to see how Apple respond to the latest firmware holes, and if one day they finally make their devices secure enough for it no longer to be possible to jailbreak.

For pen testers and security assesment guys out there, you’ll be pleased to know that Back Track are about to release their new Back Track 4  ”Black Hat Edition”.

This release includes a new kernal (2.6.34) which brings faster desktop responsiveness, as well as a load of new and improved wireless drivers.

According to the Back Track 4 blog, the online ISO will be released in the next 48 hours.

For those following Black Hat recently you would be aware of Jeremiah Grossman, CTO of WhiteHat Security – who announced last week that he had found a security hole in a majority of browsers – using the Auto-Complete hack.

The vulnerability works by manipulating a Web browsers HTML form auto-complete / autofill functionality. The vulnerability can evict all of a users cookies thereby automatically logging users out of all their current sessions, delete tracking cookies, and so on.  Jeremiah demonstrated how with only clever bits of of javascript, these attacks impact millions of Web users cheaply via online advertising networks.

To see Jeremiah’s full presentation, visit slideshare.

The vulnerability was patched by Apple last week, however is also prevelant in Internet Explorer, Firefox, and Chrome. Of the 15 patches, it’s not the most serious issue as 13 of the 15 are critical vulnerabilities that can be exploited via drive-by attack.

What’s interesting is that although Apple has since patched the vulnerability, as well as 14 others in Safari 5.0.1 and 4.1.1 – they did it literally just a day before Grossman was set to demonstrate the bug at the Black Hat Security Conference!

It’s reported that Grossman had been trying to get Apple’s attention prior to the Black Hat event. He says he had reported the issue to Apple a month before his announcement but got only automated email replies for his efforts. The nonresponse made Grossman go public.

Very cool video from BlackHat 2010 showing an ATM hack….a security friend showed me something similiar up at AusCERT 2010 at the Gold Coast… so have seen this in the wild. Very scary!

For a more detailed explanation of above, check out the SMH website.

Wireless security researchers say they have uncovered a vulnerability in the WPA2 security protocol, which is the strongest form of Wi-Fi encryption and authentication currently standardized and available. Those of malicious intent can exploit the vulnerability, named “Hole 196″. Further details of the vulnerability can be found on one of the pages of the IEEE 802.11 Standard (Revision, 2007) document.

Hole 196 lends itself to man-in-the-middle-style exploits, whereby an authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network and compromise other authorized devices using open source software, according to AirTight.

What can we do about Hole 196?

“There’s nothing in the standard to upgrade to in order to patch or fix the hole,” says Kaustubh Phanse, AirTight’s wireless architect who describes Hole 196 as a “zero-day vulnerability that creates a window of opportunity” for exploitation.

Sounds a bit worrying don’t you think!!?

Optus this morning confirmed plans to launch Apple’s latest iPhone 4 handset at midnight around the country on Thursday night, despite Apple itself publicising plans to open its stores from 8am Friday morning.

Optus confirmed that it had emailed its customers to say that it would be holding midnight launch events for the iPhone 4 in Sydney, Melbourne, Brisbane and — for the first time — Perth.

“We’re celebrating the arrival of the new Apple iPhone 4 with fantastic VIP launch events,” Optus said in its email to customers. “Selected stores will be opening from midnight on 29 July 2010 (we do mean 11:59pm plus one minute on Thursday) for your chance to get your hands on the new Apple iPhone 4 before everyone else.”

“Plus there’ll be entertainment, giveaways and much more. This is one party you won’t want to miss.”

The confirmation comes a week after The Next Web reported Optus would hold a midnight launch. Until this morning none of Australia’s telcos had confirmed they would do so. Neither Apple nor any Australian telco has yet confirmed pricing details for the iPhone 4 launch in Australia.

Read the full story.

OK… looks like it’s official, and that the big release date for the iPhone in Australia will be….. drum roll please…… Friday the 30th of July.

During the Jobs-note on Saturday morning addressing the iPhone4 antenna issue, Steve Jobs announced that Australia would be getting the iPhone 4 on July 30th.  In addition to this exciting news, we’ll also be getting free bumpers!!

Now that the official release date has been set, it won’t be long before all the phone companies release pricing details for their iPhone4 plans.  Should be an interesting couple of weeks!