The Jailbreaking Community Is Bracing for Google to Publicly Drop an iPhone Exploit
A Google researcher announced that he is planning to release a powerful tool for iOS 11 that the security community thinks it can use to jailbreak the iPhone.
Image: Shutterstock/Google/Composition: Louise Matsakis
Until recently, there were many talented hackers—known as jailbreakers—trying to break into the iPhone to open up Apple’s notoriously closed operating system, and for the thrill of the challenge. The iPhone was, and still probably is, the most secure consumer computing device on the planet. The days of people dropping one-click iPhone jailbreaks on the internet are long gone. There are still security researchers hacking iOS, but the bugs they find are so rare that they often sell them to brokers for upwards of a million dollars.
Because exploits are so valuable, it’s been a long time since we’ve seen a publicly accessible iPhone jailbreak even for older versions of iOS (let alone one in the wild for an up to date iPhone.) But a tweet sent by a Google researcher Wednesday has got the security and jailbreaking communities in a frenzy. The tweet suggests that Google is about to drop an exploit that is a major step toward an iPhone jailbreak, and other researchers say they will be able to take that exploit and turn it into a full jailbreak.
It might seem surprising that an iPhone exploit would be released by Google, Apple’s closest competitor, but the company has a history of doing so, albeit with less hype than this one is garnering.
Ian Beer is a Google Project Zero security researcher, and one of the most prolific iOS bug hunters. Wednesday, he told his followers to keep their “research-only” devices on iOS 11.1.2 because he was about to release “tfp0” soon. (tfp0 stands for “task for pid 0,” or the kernel task port, which gives you control of the core of the operating system.) He also hinted that this is just the first part of more releases to come. iOS 11.1.2 was just patched and updated last week by Apple; it is extremely rare for exploits for recent versions of iOS to be made public.
“They are releasing the bare minimum required to allow security researchers to research iOS.”
Upon closer inspection, it makes sense that Google—a company that doesn’t need to make money by selling exploits—would release a jailbreak, or at least something that comes very close to being a jailbreak.
Project Zero is a Google team dedicated almost exclusively to finding bugs in other companies’ software. In the past, it has found bugs in antivirus engines and internet infrastructure companies, among others. Beer is Project Zero’s iOS specialist. In the latest security bulletin published by Apple for iOS 11.2, five of the 15 iOS 11.1.2 vulnerabilities that were patched were discovered and reported to Apple by Beer. Presumably, what Beer plans to release is something that he discovered and was recently patched by Apple.
A couple caveats: Beer is probably not going to release a full, untethered jailbreak, meaning you will have to plug the phone into a computer to exploit it every time it boots up. But he is likely going to release the closest thing to a public jailbreak that anyone can find. iOS 11.1.2 is a nearly up-to-date operating system that was only updated last week. For comparison, the most recent public jailbreak is only available for iOS 10 and it doesn’t work on iPhone 7, according to a site that tracks jailbreak releases.
Security researchers believe that whatever Beer publishes—and thus far he hasn’t published anything—can be used to help them probe iOS for more bugs.
“They are releasing the bare minimum required to allow security researchers to research iOS,” said a former Apple security engineer who spoke on condition of anonymity because they signed a non-disclosure agreement with the company.
Marco Grassi, a researcher who’s done jailbreaks for Tencent’s Keen Lab, said that from Beer’s exploit it will “definitely be doable to make a complete jailbreak, especially for [iPhone] 6s and previous ones.”
That’s already happened before with other previous Beer iPhone exploits, which Luca Todesco, one of the best independent iOS security researchers, turned into a jailbreak for iOS 10.1.1.
Thursday, a day after Beer’s announcement, Jonathan Levin, the author of a series of books on iOS and Mac OSX internals, said on Twitter that he plans to release a dynamic library that developers and security researchers can integrate with Beer’s exploit. This dynamic library could help them develop a complete jailbreak by handling some jailbreak housekeeping operations, Levin told me in a Twitter direct message.
Researchers believe Beer’s exploit will help those who have complained that they don’t have easy access to special devices with fewer security features that would help them find more bugs. Sometimes, several iOS security researchers told me, you need to chain together several bugs or even jailbreaks to find other bugs.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Beer could not be reached for comment, and a Google spokesperson did not immediately respond to a request for comment. But there’s little reason to doubt his tweet: In the past, Beer has published similar exploits for iOS 10.1.1 and 10.3.2. He has also found several 0days in iOS.
An Apple spokesperson declined to comment, and said it’s still unclear what Beer will release. The spokesperson noted that for now it is just “something that’s hypothetical.”
What Beer seems ready to publish will likely allow researchers “to modify the kernel and debug any app,” according to Ryan Stortz, a security researcher at Trail of Bits who used to do iOS research. Stortz told me that it will still probably require the launch of an app for every reboot to jailbreak.
“It’s perfect for security research,” he said, “because you can now take over and control any app or service, which allows you to test its security boundaries.”
Read more: The Motherboard Guide To Not Getting Hacked
This type of exploit will likely help disable code signing, a mechanism that ensures only code digitally signed by Apple runs on the phone. But it would not make it straightforward to install Cydia or pirated, or malicious apps, according to the former Apple security engineer, who is familiar with these types of exploits.
“They would need some more vulnerabilities,” the engineer added, explaining that Beer’s exploits are tethered, meaning they don’t persist after reboot. “Most folks who want to jailbreak their phone want an untethered jailbreak, where you can reboot and all your pirated apps still work.”
Judging by the reactions to Beer’s tweet, many people expect a full jailbreak, and they’re probably going to be disappointed. But security researchers are bound to be excited by this upcoming release. Now, thanks to Google, they will more easily be able to achieve a full jailbreak for a version of iOS that many people are still using. So, a reminder: Update your software. Or if you’re a security researcher or have other reason to do it, happy hacking.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.