A website that makes it child’s play for iPad and iPhone owners to jailbreak their devices raises important security concerns.
The site, jailbreakme.com, exploits a PDF vulnerability to run unauthorised code on Apple customers’ iPhones and iPads, including the new iPad 2. In this way they allow users to unlock their devices, and run programs that have not been approved by the official AppStore.
Usually jailbreaking requires users to connect their device to a computer before they can start to tamper with the set-up of their iPhone or iPad. Sites like JailBreakMe make the process much simpler.
But if visiting the JailBreakMe website with Safari can cause a security vulnerability to run the site’s code, just imagine how someone with more nefarious intentions could also abuse the vulnerability to install malicious code on your iPad or iPhone.
If they exploited the same vulnerability in a copy-cat manoeuvre, cybercriminals could create booby-trapped webpages that could – if visited by an unsuspecting iPhone, iPod Touch or iPad owner – run code on visiting devices.
A website like JailBreakMe is making it easy to jailbreak your iPhone or iPad – but it could also be said to be giving a blueprint to malicious hackers on how to infect such devices with malware.
I don’t want to be a party pooper for those who wish to jailbreak their Apple devices, but it’s essential that Apple closes this vulnerability as quickly as possible.. before it is abused with malicious intent.
Interestingly, “Comex”, the creator of the JailBreakMe website seems to recognise that hackers might copy the exploit to use in the form of an iPad or iPhone virus. However, he attempt to deflect any responsibility in his FAQ:
"I did not create the vulnerabilities, only discover them. Releasing an exploit demonstrates the flaw, making it easier for others to use it for malice, but they have long been present and exploitable. Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run."
All eyes now turn to Apple to see how quickly it can secure its users from what could be a vector for iPhone/iPad malware infection. Leaving a security hole like this open is simply inviting malicious hackers to exploit it.
Leave a reply