This week, @Pwn20wnd jailbroke iOS 12.4 which is the latest version of Apple iPhone Operating System (iOS).
There are two absolutely unbelievable things that happened with this Jailbreak.
First, what makes this Jailbreak so monumental, is that iOS 12.4 is currently the only signed version of iOS available to upgrade, downgrade, or restore your iOS device to.
Apple is forcing users to update to an already Jailbroken iOS and the only iOS version that is currently being signed!
The second remarkable event is that the exploit used to complete the Jailbreak was fixed previously in the last version of iOS.
Apple reintroduced CVE-2019-8605 into the iOS on 12.4 and caused the Jailbreak themselves. The Jailbreak community even decided to credit “Apple” in the “thanks” section of their latest version of the Jailbreak since Apple themselves re-enabled the Jailbreak.
In effect, Apple is updating users to an already jailbroken, and also vulnerable, version of the popular mobile operating system.
How Would Malware Be Distributed by a current, signed, Jailbroken iOS?
Here is a real world example of a Jailbreak disaster that could happen today:
Step 1: Copy the Jailbreak App from Pwn20wnd and make a fake app.
Step 2: Get a signed Developer certificate from Apple to distribute your apps over-the-air.
Step 3: Create a fake app with the Jailbreak hidden inside and prevent Cydia from installing. After Jailbreak, prevent the app from rebooting for 30 minutes. Install OpenSSH and open a remote port and contact a listening server. Even better, install a VNC client that contacts a remote VNC listening server.
This is where creativity thrives.
Step 4: Create your new awesome App landing page!
You need people to download your new great app, and your new “PokemonGO Infinite Pokemon Cheat App” looks great, and now just insert your Jailbreak to automatically install.
Incentive offers work even better, “watch 3 movies on our app with ads and get paid $5!“
<a href="itms-services://?action=download-manifest&url=https://myWeb.com/MY_TEST_APP/manifest.plist">Install App</a>
Step 5: Send targeted iOS traffic to your landing page.
Users will install the App, if your offer is attractive enough, and voila, you have Jailbroken someones iPhone, remotely.
Some other possible in-the-wild scenario examples:
- Create a Google Ad campaign with the word Uber and redirect your visitors to a fake Uber app with the Jailbreak inside. Trick people who want to download the Uber app into downloading your fake app and then take total control of their phone.
- Create a viral facebook video and insert a QR code at the end, or half way. Tell users to scan the QR code for videos BANNED by Facebook, or too naughty for Facebook. Create a basic video feed app from a porn site and include the jailbreak inside. Works best for Adults Only content.
- Buy a viral Instagram account and a fresh domain. Direct users to the link in your bio and ask them to install the app. Works great for influenced audiences.
These are some nasty examples that are so easy to execute in-the-wild.
Is iOS 12.4 a Jailbreak Honeypot?
At HoneyPots, we are well versed in the Jailbreaking community, having used grand infiltrative tweaks like Call Recorders, Display Recorders, Microphone Recorders, and AFC Extenders.
Apple File Conduit (AFC) bypasses let you use the phone like a USB stick: full read and write access without any security.
A Jailbroken phone, operated by an adversary, can record your calls, read all your messages, send messages without your consent, prevent security updates, block websites, redirect websites, brick your phone, alter your GPS location, slow down your phone or even speed it up.
Someone with control over a Jailbroken phone can even use the Apple Pay account to make purchases.
This Jailbreak is so embarrassing for Apple devs because they reintroduced an already fixed exploit.
Why would Apple upgrade everyone to a Jailbroken iOS version?
How could Apple allow their own in-house security researchers to miss an already fixed bug?
Does Apple need inspiration from the Jailbreak community?