FYI.

This story is over 5 years old.

Tech

The Bug That Started the iOS 9 Jailbreak

This vulnerability opened the way for researchers to hack Apple's latest OS.

Earlier today, Chinese hacker group Pangu announced the world's first jailbreak of iOS 9, Apple's latest operating system for its mobile devices. According to someone who was credited with assisting in the research, one of the vulnerabilities used by Pangu to hack into devices is actually not that hard to take advantage of.

The bug is "fairly easy to exploit, but it takes some skill to get it reliable," the vulnerability researcher Luca Todesco told Motherboard in an online chat. Todesco has developed his own jailbreaks for iOS in the past.

Advertisement

"The amazing thing is that it can be easily exploited without any other info leak bug, which doesn't happen often in these kinds of bugs," he added.

When jailbreaking a phone, there are a few crucial steps, Todesco explained. One of those is gaining the ability to change the kernel—the heart of the operating system. From here, it might be possible to get rid of Apple's baked-in limitations on what a researcher can do. That's "the whole point of jailbreaking," as Todesco described it.

Todesco discovered a kernel bug in his own research, he told Motherboard, and then provided this information to the researchers at Pangu. They were actually already aware of the bug, but "weren't focusing on it since they weren't aware of some details of it," Todesco said. "They needed something that worked without root privileges for their intitial stage."

"I had been looking at the code for quite a while; TaiG used a bug in the same code," he added. (TaiG is another Chinese jailbreaking team, who have had a number of successes over the years.) "I actually spotted it while doing exploitation of TaiG's bug."

The vulnerability itself is in how iOS handles HID devices, such as touchscreens and keyboards, Todseco said.

"The code allows you to create a virtual device," Todesco explained," but when the hacker then terminates this virtual device, he or she can carry on doing operations to it.

This would then lead to code execution in the kernel, and eventually the full-on jailbreak.