Apple iOS update ends in jailbroken iPhones (if that’s what you want)

For the first time in… well, in ages, anyway… a jailbreak exists for the very latest version of iOS!

Jailbreaking is where you exploit a security hole, or more likely a whole series of security holes, in what is essentially a carefully orchestrated cybersecurity attack on yourself, in order to liberate yourself from Apple’s locked-down attitude to iPhones.

Want to install your own apps? Want to modify locked system settings? Want to run network services like SSH or even a tiny web server? Want the freedom to delve more deeply into a running system than Apple will let you? Want to patch security holes on old and unsupported devices?

Want to run the risk of heading into the unknown and accidentally putting your iDevice at more risk than it was before?

Jailbreaking lets you do all of those things, typically by lagging behind the latest iOS updates on purpose, leaving as many holes open as you dare while the jailbreaking community tries to figure out ways to exploit them.

If you keep your iPhone bang up-to-date, you run the risk that by the time a working exploit has been discovered for version X, you’re already on X+2 or X+7 and the exploit no longer works.

And, yes, it’s a complicated irony that one of the oft-mentioned benefits of jailbreaking, namely that it means you can fix bugs as soon as you like without waiting for Apple, is usually achieved by deliberately avoiding bug fixes that Apple has already published.

Well, this time is different!

If you’ve been sticking with iOS 12.3, for example, in the hope of a jailbreak coming out, you face the unusual prospect of upgrading officially to 12.4 first.

Long-time Apple hacker and jailbreaker Pwn20wnd (the middle characters are both digits) just released an updated to his popular Undecimus project, also known as unc0ver and touted as “the most advanced jailbreak tool.”

Right now, at least, you simply can’t jailbreak iOS 12.3 even though iOS 12.4 is open for jailbreaking business, and here’s why.

Bear with us, because there’s a metaphor coming.

Why bugs come back

You’re riding home on your bicycle, it’s cold and wet, there’s not too far to go, you’re already thinking lovingly of the electric heater in the bathroom (hipsters don’t use gas, remember?); suddenly, there’s a hissss….

…and your tyre goes flat.

You laboriously remove the offending wheel, take off the tyre, find the hole, patch the tube (hipsters repair rather than replace, remember?), pump it back up, put everything back together, ride on, feel like an achiever!

You’re colder and wetter than before, but smugly chatting in your imagination to the grandchildren you don’t yet have, saying, “When I was young, we had to fix our own…”; suddenly, there’s a hissss….

…and your tyre goes flat.

Double-punctures are more common than you might think, and often happen for the simple reason that the very act of applying a patch can be the cause of another failure, because it disturbs the status quo ante.

Perhaps you treated the symptom (a hole) but didn’t find the cause (a sliver of glass in the tyre), making another flat tyre almost inevitable, and soon?

Perhaps you introduced a new foreign body, such as a stone or another glass shard, while you had the tyre off the rim, making another flat almost inevitable, and soon?

Perhaps you dislodged or disturbed a previous patch, badly applied when you were in a hurry last time, making another flat almost inevitable, and soon?

Well, that’s what just happened to Apple, metaphorically speaking.

The SockPuppet exploit

Back in March 2019, a Google bug-hunter called Ned Williamson found and reported a bug, denoted CVE-2019-8605, in Apple’s kernel code.

Under Google’s Project Zero rules, details of bugs reported this way are suppressed for 90 days, or until a patch is broadly available, thus giving the affected vendor time to fix the problem before the bug is publicly disclosed.

The idea of the 90-day rule is that the crooks don’t get a free-for-all while the patch is being prepared.

Nevertheless, vendors still have genuine pressure on them to get security bugs patched, but not so much pressure that they are forced to act in haste, and thus perhaps to repent at leisure.

Anyway, Apple duly published patches within the deadine, issuing macOS 10.14.4 and iOS 12.3 on 13 May 2019.

These updates dealt with a raft of other security problems at the same time, but both operating systems notably received this fix:

KERNEL

Available for:  macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.4
Available for:  iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact:         A malicious application may be able to execute 
                arbitrary code with system privileges

Description:    A use after free issue was addressed with improved 
                memory management.

CVE-2019-8605:  Ned Williamson working with Google Project Zero

On 11 July 2019, presumably thinking that the danger was past, Williamson published a working exploit dubbed SockPuppet, a pun on the fact that the bug exists in low-level networking code.

(In the jargon, network connections are made between sockets, and sockets are commonly denoted by the abbreviation sock in networking code.)

This demonstration exploit was upgraded to a faster and more reliable version called SockPuppet2 on 22 July 2019.

And that’s where the puncture repair story in this case ought to have ended…

…except that it looks as though Apple’s most recent update to iOS, version 12.4, reintroduced the bug.

Whether Apple dislodged the earlier patch, introduced a new way to exploit the previous hole, or patched the symptom rather than the cause last time is not yet known, but the bug is back.

Ironically, Apple’s iOS 12.4 patch came out on 22 July 2019, the very same day as the new-and-improved SockPuppet2 demonstration exploit code.

That was a coincidence, of course, but it ended in trouble for Apple, because it made the recently-released unc0ver jailbreak possible.

Apple now needs to get iOS 12.4.1 out (lets assume that’s what it will be called) as soon as possible, and not just because the company disapproves of jailbreaking and goes out of its way to prevent it.

A patch-to-the-patch-that-broke-the-patch is needed because there’s now a publicly-known exploit, and an open source jailbreaking toolkit that uses it, against the iOS version that the majority of iPhone owners are currently running.

What to do?

According to reports, the current jailbreak doesn’t work on the very latest iDevices.

Apparently, devices using Apple’s new A12 processor aren’t affected -so you can relax – for now, at least – if you have an iPhone XS, iPhone XS Max, iPhone XR, iPad Mini (2019) or iPad Air (2019).

The rest of us are vulnerable.

One obvious suggestion is “roll back to 12.3”, but there are two reasons not to do so: firstly, 12.4 fixed a lot of other potentially serious holes at the same time as accidentally re-enabling SockPuppet; secondly, Apple won’t let you.

Jailbreakers who already have a jailbroken device can use a bunch of tricks to enable downgrading, or more precisely to prevent Apple disabling it, but those of us who aren’t long-term jailbreakers are out of luck.

Apple prevents downgrades as an anti-jailbreaking measure, or else you could always and easily hack your phone by rolling back to a version that you know could be jailbroken and then rolling back forwards with the jailbreak installed.

Another suggestion is to jailbreak your own phone, and then look for community-contributed patches to tide you over until Apple comes to the update party.

We recommend against doing that – if you aren’t already familiar with the jailbreaking scene, then trying it out for the first time on a work phone or one you use regularly to run your personal life is probably a step too far.

In particular, we strongly recommend against some of the jailbreaking tricks currently showing up in online videos that promise a “jailbreak with no computer” – these typically require you to install unauthorised apps built using rogue Apple Developer Certificates.

As far as we can see, your phone can’t currently get jailbroken remotely, so crooks couldn’t install this jailbreak as a ‘crack’ against your will.

They’d need physical access to to your device, they’d have to know your unlock code, and they would need to install a third party app by addding a device management profile that you would be able to spot later on.

For now, the simplest advice is probably the safest: keep your lock code to yourself, don’t let other people play with your phone, and get Apple’s next update as soon as it comes out…

…which is likely to be soon, so watch this space!

You can check for third-party device management by going to Settings → General and looking for a menu item called Device Management. If it exists, go into the option to see who’s been granted access to your phone. If it’s a work phone and it’s enrolled in a Mobile Device Management system like Sophos Mobile Control, you will see one or more entries in the Device Management menu – ask your IT team to tell you what to expect if you see something suspicious.

LEARN MORE ABOUT JAILBREAKING AND ROOTING

We recorded this Naked Security Live video to give you and your family some non-technical tips to improve your online safety, whichever type of phone you prefer.
Watch directly on YouTube if the video won’t play here.