Using the first 0day for a public Jailbreak since 2015, Pwn20wnd has released a jailbreak for all currently signed iOS versions.
This is big news for researchers and device owners.
It’s also bad news for victim targets as any (latest) iPhone can be jailbroken.
This means if someone has your phone, it can be completely taken control over. There are also reports of additional individual developer certificates being used to sign and deliver malware over OTA.
The benefit to an attacker of using a developer certificate is that once you know your target’s UUID, you can install signed apps that do not require the developer profile to be added to iOS profile management.
This means, gaining access to a device for even 30 seconds, a device can be fully compromised.
- Device briefly unlocked and used by someone in a semi-trusted relationship
- Attacker visits a short link to an OTA download
- App is downloaded because it is signed by a developer certificate
- (This would work for modified re-signed versions of popular apps)
- Device gets rebooted (or at a specific hour) and is now running the OpenSSH daemon
- Attacker remotely removes the jailbreak app and stays connected to the device until Apple updates to 13.5+
This is made possible by incredibly powerful open source projects like iOS App Signer.
iOS App Signer allows you to re-sign any app with any certificate, malware included.