Apple has mistakenly made it a bit easier to hack iPhone users who are on the latest version of its mobile operating system iOS by unpatching a vulnerability it had already fixed. Hackers quickly jumped on this over the weekend, and publicly released a jailbreak for current, up-to-date iPhones—the first free public jailbreak for a fully updated iPhone that’s been released in years.
Security researchers found this weekend that iOS 12.4, the latest version released in June, reintroduced a bug found by a Google hacker that was fixed in iOS 12.3. That means it’s currently relatively easy to not only jailbreak up to date iPhones, but also hack iPhone users, according to people who have studied the issue.
Videos by VICE
“Due to 12.4 being the latest version of iOS currently available and the only one which Apple allows upgrading to, for the next couple of days (till 12.4.1 comes out), all devices of this version (or any 11.x and 12.x below 12.3) are jail breakable—which means they are also vulnerable to what is effectively a 100+ day exploit,” said Jonathan Levin, a security researcher and trainer who specializes in iOS, referring to the fact that this vulnerability can be exploited with code that was found more than 100 days ago.
Have a tip about Apple or a Apple-focused security company? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com
Pwn20wnd, a security researcher who develops iPhone jailbreaks, published a jailbreak for iOS 12.4 on Monday. For years, jailbreaks have been held closely to the chest by security researchers, because the ability to jailbreak an iPhone means the ability to hack it. As we’ve reported several times, exploits for the iPhone can sell for millions of dollars, which means that no one has been willing to release jailbreak code publicly because Apple will quickly patch it.
A security researcher who hacks iPhones for a living, and who spoke on condition of anonymity because he wasn’t authorized to speak to the press, said that organizations that have the expertise to target iPhones can now use a bug in Safari, for example, to “ hack any up to date iPhone.” While it’s still not trivial to hack an iPhone remotely—even with the availability of this bug—the barriers to entry are now much lower.
Apple did not immediately respond to a request for comment.
Ned Williamson, a security researcher at Google, confirmed that the old exploit that was once patched by Apple works on his iPhone XR.
“A user apparently tested the jailbreak on 12.4 and found that Apple had accidentally reverted the patch,” Williamson told Motherboard.
Pwn20wnd, the researcher who developed the jailbreak, told Motherboard that “somebody could make a perfect spyware” taking advantage of Apple’s mistake. For example, he said, a malicious app could include an exploit for this bug that allows it to escape the usual iOS sandbox—a mechanism that prevents apps from reaching data of other apps or the system—and steal user data.
Another scenario is a hacker including the exploit in a malicious webpage, and pairing it with a browser exploit, according to the researcher.
“It is very likely that someone is already exploiting this bug for bad purposes,” Pwn20wnd said.
Several iPhone users on Twitter claimed to have successfully jailbroken their up to date iPhones with Pwn20wnd jailbreak.
iPhone security experts are warning users to be careful what apps they download.
“I hope people are aware that with a public jailbreak being available for the latest iOS 12.4 people must be very careful what Apps they download from the Apple AppStore,” Stefan Esser, a well-known researcher who teaches iOS hacking, wrote on Twitter. “Any such app could have a copy of the jailbreak in it.”
A previous version of this story stated that Ned Williamson worked at Project Zero, he actually is not part of the team but works with them sometimes. Also, the story originally stated that Williamson confirmed that the jailbreak works, but he actually only confirmed that the exploit works. We regret the errors.
Subscribe to our new cybersecurity podcast, CYBER.