Sign in with
Sign up | Sign in

Hacking The iPhone, iPod, And iPad With A Web Page

Hacking The iPhone, iPod, And iPad With A Web Page
By

Regular Tom's Hardware readers know Charlie Miller as the first person to hack Apple's iPhone and a repeat winner of CanSecWest's Pwn2Own contest. This time around, we talk to Charlie about jailbreaking and what it means to smartphone security in general.

The best part about being a writer with Tom’s Hardware is not that I get to play with the latest GPUs or CPUs. Sure that stuff is cool, but what’s even more special is the opportunity to meet and talk with the people who make the magic happen. Microsoft’s Cirque du Soleil launch party pales in comparison to meeting with the father of Intel V8 for coffee at the cafeteria on Intel's campus, sitting down with the Nvidia PureVideo engineers over lunch, or simply talking about cars with the guys at AMD.

Today, we’ve got another interview with Charlie Miller of Independent Security Evaluators. As regular readers of Tom’s Hardware know, Charlie was the first person to hack the iPhone and has successfully hacked into a fully-patched Apple MacBook each year at the CanSecWest’s Pwn2Own Contest.

Unless you’ve been living on a remote outpost on Mar Sara, you’ve probably heard about the recent jailbreakme Web site for the iPhone and iPad that launched this month, shortly after the Library of Congress explicitly allowed cell phone “jailbreaking” to be exempt from the DMCA. Although jailbreaking has been around since the original iPhone, and the millions of users of Android-based phones enjoy the opportunity to run any application they want out-of-the-box, the incredible popularity and controversy of the iPhone 4 made it a hot topic for the media, even reaching the New York Times and Wall Street Journal.

The real story doesn’t have to do with jailbreaking, though. It’s how the jailbreak actually happens, and the implications for smartphone security. So without further delay, here’s our interview.

Tom's Hardware: As always, we really appreciate the time you take out for these interviews.

Charlie: No problem. I’m always happy to share technical details with people to give insight into the weeds of security.

TH: What vulnerabilities were exposed for the iPhone and iPad last week?

Charlie: There are two vulnerabilities. The first is a remote code execution in MobileSafari. The error is in the way certain fonts are parsed. The actual exploit uses a PDF to deliver the font, but other methods are possible, I suppose. The second vulnerability is a local privilege escalation in the IOKit framework.

TH: So how does the JailBreakMe website exploit these vulnerabilities to allow the “jailbreaking” to occur?

Charlie: First, jailbreakme gets code running inside MobileSafari with the font bug. However, due to the security architecture of iOS, MobileSafari runs as user “mobile” and within a sandbox. User “mobile” cannot make system configuration changes; only the administrator “root” can do that. Furthermore, the sandbox restricts the actions the exploit can take. For example, the sandbox does not allow MobileSafari to send SMS messages.  

This is where the second exploit comes in. It is the second vulnerability, in IOKit, that allows the code to execute as user root instead of user mobile. From within the context of MobileSafari, the second exploit is launched which raises the privilege of the executing code to that of root. The sandbox is not designed to restrict a root-owned process, and is also easily circumvented at this point. So now the code can write to kernel memory and nothing is sacred. The exploit then disables code signing, and loads some dynamic libraries, which do the work of jailbreaking the phone. 

TH: So the sandbox falls apart. What about the desktop Google Chrome sandbox, and how does MobileSafari compare?

Charlie: They are similar in that they try to restrict the types of actions that code can perform. Adobe Reader will soon also run in a sandbox. In practice, sandboxes force attackers to write two exploits instead of one, as was done here. Sandboxes only provide an additional layer of defense, but do not make exploitation impossible.

TH: Interesting. One of the things I noticed is that the entire jailbreaking process takes a few minutes. How much of this is spent gaining root access to the phone to allow remote execution and how much of this time is the actual installation of the software such as Cydia?

Charlie: The exploit gets code running, elevates to root, and disables code signing almost instantaneously. All the additional time is in performing the actual jailbreak.

Display 24 Comments.
This thread is closed for comments
Top Comments
  • 11 Hide
    apache_lives , August 17, 2010 7:52 AM
    Im more interested in Android being installed on the iPhone - looking quite interesting
  • 10 Hide
    orionite , August 17, 2010 12:33 PM
    Very interesting article. I take content like this over "Man uses iPhone to cure cancer"-nonsense, any day.
Other Comments
  • 11 Hide
    apache_lives , August 17, 2010 7:52 AM
    Im more interested in Android being installed on the iPhone - looking quite interesting
  • 2 Hide
    Anonymous , August 17, 2010 9:04 AM
    who said apple is unbreakable? charlie miller is the man who can kick jobs ball just as easy everytime we visit his website. since I got the iphone4 I found that I had being holding my phone wrong the past 7 years. I have to learn the new way from apple the right way holding my phone but it drops often and hunts my hand too. 2 weeks ago I heard people telling me that my ipad got heatup problem in japan. I believe steve jobs trying to tell everyone in japan that they are holding their mp3 player wrong too after all.
  • 10 Hide
    orionite , August 17, 2010 12:33 PM
    Very interesting article. I take content like this over "Man uses iPhone to cure cancer"-nonsense, any day.
  • 6 Hide
    victorintelr , August 17, 2010 12:34 PM
    Charlie Miller never held it wrong.
  • 1 Hide
    rd350 , August 17, 2010 3:03 PM
    now if only this worked for a mac :p 
  • 6 Hide
    kelemvor4 , August 17, 2010 4:40 PM
    randomizerSee, real men use Macs.

    Real men often do what is trendy rather than what makes sense.
  • 0 Hide
    jakthebomb , August 17, 2010 6:12 PM
    George Hotz was the first to hack the iPhone.
  • 2 Hide
    jecastej , August 17, 2010 8:48 PM
    Great interview,

    I think Apple should use its big capital to hire and pay for more engineers to solve all kind of situations. It is not about problems surfacing everywhere or anytime as there are no warranties in real life. And I don't say this just to complain. Now that Apple has the "resources" it should use it on its "own" benefit and, of course, for the benefit of all its users.
  • 1 Hide
    intelx , August 17, 2010 9:02 PM
    i was the first to hack the iphone using windows 3.1
  • -3 Hide
    randomizer , August 18, 2010 12:15 AM
    Ragnar-KonOh you are going to get marked down... beware of the windoz trolls.

    I knew I was going to get marked down, but couldn't resist. The commenters on this site are so protective of their favourite company.
  • 3 Hide
    r0x0r , August 18, 2010 6:21 AM
    randomizerSee, real men use Macs.


    Real men use Vista on 256MB RAM because the pain of doing so lets them know they're still alive.
  • 0 Hide
    Mottamort , August 18, 2010 7:00 AM
    If Microsoft had to pay $3000 for every bug found on their software they'd lose ALOT of money...just think about all those service packs they release and security updates that come out on a daily basis.
  • 2 Hide
    chickenhoagie , August 18, 2010 11:23 AM
    MottamortIf Microsoft had to pay $3000 for every bug found on their software they'd lose ALOT of money...just think about all those service packs they release and security updates that come out on a daily basis.

    i guess thats what happens when millions of people use windows, and thousands more write malicious code for it.
  • 2 Hide
    mrmotion , August 18, 2010 12:14 PM
    Great article. Would like to see more like this!!
  • 0 Hide
    WarraWarra , August 18, 2010 3:10 PM
    Yup great article. Finally something intelligent and interesting to read.
  • 0 Hide
    WarraWarra , August 18, 2010 3:19 PM
    jecastejGreat interview,I think Apple should use its big capital to hire and pay for more engineers to solve all kind of situations. It is not about problems surfacing everywhere or anytime as there are no warranties in real life. And I don't say this just to complain. Now that Apple has the "resources" it should use it on its "own" benefit and, of course, for the benefit of all its users.


    Yup amazing they claim they have to Guantanamo Bay the iPhone / Apple's to prevent this but in that statement they have already failed to prevent this "attacks" security breaches.

    Why not just have it unlocked like in the western world and let anyone put what they want on there.

    Surely Apple gets the fact that no one is leasing their hardware so everyone that pays for it owns it and can constitutionally use it as a vibrator or car mirror hanging attachment or what ever they like to do with it.

    What gets me is the gold yes the metal gold that jewelery is made of iPhones there is no issues with as "modified / appearance hacked" items but something small like adding a useful app or installing your own operating systems freaks them out.

    Next thing Apple will tell us they don't mind taking a mill. USD and burning it for fun but freak out about us$0.20 rubber band aid for the signal problem not being the Approved Guantanamo Bay Apple colors.

    Apple seriously needs some legal CA weeds to smoke.
  • 0 Hide
    thebigt42 , August 18, 2010 3:34 PM
    randomizerSee, real men use Macs.

    Real men downloaded files at 300 baud when that was the fastest available and were excited about doing it!
  • 0 Hide
    Lorsus , August 18, 2010 7:20 PM
    Interesting how this article comes out after iOS 4.0.2 patches the font hack.
Display more comments