Skip to content

Top Best Ask Show New Jobs

Tethered Jailbreaks Are Back (opens in new tab)

(blog.trailofbits.com)

143 pointsdguido6y ago117 comments

117 comments

48 comments · 11 top-level

nerdbaggy6y ago· 12 in thread

Interesting that the writers of this article are a company that sells a library to help developers detect their app running on jailbroken devices. https://blog.trailofbits.com/2017/10/12/ios-jailbreak-detect...

Trail of Bits sells a jailbreak detection app the same way Ikea sells Swedish Meatballs. It's good jailbreak detection, but it's hardly what Trail is about.

dguidoOP6y ago

lol that's a great analogy! Yes, this is a small project for roughly one person at our company of 50. It's something we felt like we could contribute so we had fun with it. We already invested all the time elsewhere to master iOS. It's one of those 30 minutes + 15 years experience things.

Makes sense given how they try and spin this is only good for pirates (and researchers), because they would be the only ones who would like a jailbroken device.

baroffoos6y ago

A decade of corporate brainwashing has convinced people that only criminals want to control the device they own.

saagarjha6y ago

Ah, yes, the bane of Apple engineers everywhere.

>library to help developers detect their app running on jailbroken devices

How does this work? I thought iOS apps are sandboxed to an extent where it shouldn't be possible to snoop around to determine which processes are running and such.

js26y ago

A jailbroken device allows apps to do things that a non-jailbroken device does not.

I maintain my company's in-house mobile app crash reporting system and I had to remove jailbreak checks from our iOS SDK. It turned out that some of the checks were causing crashes themselves due to buggy anti-jailbreak-detection code some jailbroken devices had in place. e.g. checking whether a file could be accessed that normally iOS disallows would end up causing a crash instead of just a permission error.

Instead, I just do some basic server-side detection. Basically, looking for libraries loaded into the app (e.g. cydia) that are only present on jailbroken devices. Some jailbreaks don't even try to hide their presence.

I don't know what iVerify does. I hadn't heard of it before. I'm curious how it avoids crashes though... perhaps it avoids invoking any dynamic system calls.

dguidoOP6y ago

We discovered/developed a suite of side channels that let us indirectly read iOS system state from inside the sandbox. There are many different checks across unknown deviations, known jailbreak files and utilities, and runtime behaviors that help us narrow down whether your phone has been modified. It's not perfect, but it's the best you can do from within the Apple App sandbox.

Lt_Riza_Hawkeye6y ago

I assume you make a new mach-o file that hasn't been signed by apple and try to exec into it. If it runs, definitely jailbroken. Obviously a jailbroken phone could load a kernel module that detects this and stops it from running in this specific case, leading to a cat and mouse game between jailbreak developers and these apps. iBooks tried this once.

nerdbaggy6y ago

Couldn’t tell you, I know as much as that article says. But I’m guessing that’s part of their secret sauce

SomeOldThrow6y ago

Interesting that Apple forces you to use your device on their terms :)

since the release of ios 13 it has had multiple updates :)

jasonhansel6y ago· 10 in thread

Honestly, if there's a real security risk, I'm surprised Apple hasn't recalled the phones or offered to repair them. Unpatchable firmware flaws are (or should be) no different from hardware flaws in this respect.

> if there's a real security risk

There is, but it's not that great. You need physical access to the device and it won't be persistent (a reboot will clean it).

dguidoOP6y ago

It certainly will _feel_ persistent if you're successfully attacked with this technique.

If your iOS software is swapped out for a version with a backdoor, then the attacker will have collected your passwords and authentication tokens to services you use. If you reboot to clear the backdoor (and let's be honest: no one reboots their phones), then you won't also "clear" your attacker's memory of all your passwords.

jplayer016y ago

> You need physical access

I don't understand why people keep downplaying this. The whole point of a secure phone is that the data can't be accessed even with physical access.

Anything electronic connected via the lightening port has physical access for example: a charger. A charger could be programmed to let a device in a low battery state to run the rest of the way down to empty to cause a reboot before starting to recharge. Not undetectable. But typical users would probably assume user error or a faulty charger before suspecting malware.

Tepix6y ago

Are you saying if an evil government puts a backdoor on my phone while I'm at customs, can I just reboot twice to completely get rid of it reliably?

But this hack also allows exfiltration of data from your phone, doesn't it?

nerdbaggy6y ago

Apple isn’t really known for doing recalls until they absolutely have to

"Take the number of 'iPhones' in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one."

A modified version of the movie quote to fit the discussion

Which makes sense too. If Apple was negligent in the security space and these flaws were common then I would be all for a recall.

But Apple clearly has not been negligent in this space and they really have put forth best effort.

Angostura6y ago

You're talking about 100s of millions of devices - I can see why Apple would prefer not.

n10006y ago

With roughly 1 billion iOS devices in use that might be an expensive recall.

HeWhoLurksLate6y ago· 7 in thread

Yay!

I have fond memories of my friends (and eventually me, on the family iPad) jailbreaking our devices and doing stuff with them.

A lot of the things I saw from jailbreaks were incorporated into later iOS updates- I'm curious (and excited!) to see what develops out of this wave.

a proper firewall (not just safari content filtering or dns blocking) would be wonderful, one with a nice enough UI, like hands off or little snitch on mac.

there used to be firewall ip and protect my privacy on cydia, but both of those seem to no longer be maintained.

jimmaswell6y ago

What's the point now that we have Android?

GarageBand. iMovie. Both of which can have their projects opened in Logic Pro or Final Cut, an irreplaceable workflow for which there is no Android equivalent. Audio Bus. Not Google. For me, ARkit is huge for some hobby projects.

jdc6y ago

Lower latency: https://danluu.com/input-lag

So far, only iOS can run on iDevices, which means if you want to use Apple hardware you have to use iOS.

voltagex_6y ago

Android appears to be about to lose the ability to run downloaded executables (see Termux), but this also has nothing to do with the discussion.

paulcarroty6y ago

iOS doesn't sent your every click to Google?

https://digitalcontentnext.org/wp-content/uploads/2018/08/DC...

rodgerd6y ago· 4 in thread

This will delight the one person in ten thousand who wants to jailbreak their own phone, and the border police in Australia (mandatory scans of phone required on demand), or China, or stalkerware retailers, or repair shops who like to rat around on customers' phones.

Guess which will be the more common use?

heavyset_go6y ago

You can already assume that states are sitting on exploits that they've found or bought, and that they can compel companies to provide some form of access via NSLs or secret courts.

randyrand6y ago

only more advanced states.

fourthark6y ago

Reboot your phone if you know you have given it to someone you don't trust.

This is a persistent compromise. That will not help.

alecmg6y ago· 2 in thread

> We strongly urge all journalists, activists, and politicians to upgrade to an iPhone that was released in the past two years with an A12 or higher CPU.

This makes no sense. The data of these VIPs is not in (more) danger due to this new jailbreak appearing. It sounds like a cheap trick to make people buy new phones.

"checkm8 doesn't allow law enforcement to decrypt the phone, but it does allow them to rootkit it with 30 seconds of unattended access. Once it's unlocked by the user they'd get everything they need."

That sounds like something more than a little worrying to the listed groups of people, no?

yjftsjthsd-h6y ago

So if the phone is out of your sight, reboot. And now you're clean again.

CalChris6y ago· 1 in thread

I jailbroke my old iPhones but that was in an earlier less featureful iOS era. I wonder what hackers will be able to provide such that I'd do it on an SE. Curious now as much as I am skeptical.

jquery6y ago

All I wanted is a mirrored CarPlay option with a cursor for people who use a joystick instead of a touchscreen. I know this exists in the jailbreaking community (minus the cursor).

ryeights6y ago· 1 in thread

Are there potential disadvantages involved with “demotion” to enable JTAG? From what I understand the process is permanent (eFUSE?) but it seems like a fun thing to play around with

ronsor6y ago

Jailbreaking is software based and doesn't actually void your warranty. Demotion will.

js26y ago

Prior discussion:

https://news.ycombinator.com/item?id=21099996

anfilt6y ago

If anything this should be a boon to users. It allows them fully to use their devices they own. Honestly, it is inexcusable that apple makes users have to hack their own devices. You should have the option similar to enabling or disabling secure boot on your PC.

dusted6y ago

Oh, here's a biz idea: build exploit into device, then when you've got something better/stronger/faster to sell, you leak the exploit and let the press urge people to buy your latest.

nallerooth6y ago

As I see it, the effect of this is twofold. While it's bad for (at least some of) the iDevice users who carry sensitive data - it might also be just the thing that makes those users buy a new device. I guess that would be a "good" security issue in Apple's book.

And no, I'm not implying that Apple has designed this security flaw in order to sell more devices.

j / k navigate · click thread line to collapse