santa-claus-iphone

We’ve been expecting an iOS7 jailbreak tool for some time. After all, researchers have been working towards this for the past few months, and the rumor mill was working overtime. Timing its release on 22nd of December, evasi0n7 JB was one holiday gift we weren’t excited about.

Overview

A jailbreak removes all the built-in iOS security mechanisms (such as the iOS Sandbox model). Ultimately, it enables the execution of non-Apple certified code.

The evasi0n7 JB is the first jailbreak tool which affects all iOS7-based devices – versions 7.0-7.0.4. More so, it leaves the device in a jailbroken state also after a device reboot (aka as an “untethered jailbreak”). Behind the scenes, the jailbreak performs a series of exploits of operating system and firmware vulnerabilities.

The tool itself requires a physical connection to the mobile device (i.e. a cable between the computer and the device). Once the jailbreak is performed, it installs a non-official Cydia– an app marketplace for non Apple-certified apps.

Installation (and Deactivation) of Taig – a Chinese app marketplace

Interestingly, if evasi0n7 JB identified that the computer running the jailbreak has defined Chinese as its main operating system language, then the Chinese 太极 (taiji/ Taig) market app is installed. That said, evad3rs – the team behind evasi0n7 – had updated their tool today to disable the installation of Taig under the grounds of app piracy activities in Taig.

Risks

Jailbreaking devices poses a huge security risk on iOS-based devices. An adversary carrying out a jailbreak can perform any one of the following activities against their victim’s mobile device:

  • Obtain full control of the smartphone/tablet and bypass the iOS sandbox model
  • Run code under administrator privileges
  • Retrieve various files and sensitive information on the device.
  • Bypass enterprise data protection applications, including: Secure Containers, Wrappers, and hardened banking and financial applications. Consequently, the attacker can gain access to encrypted and sensitive corporate information such as emails, confidential documents and passwords.
  • Inject a persistent backdoor on the device.
  • Install an existing commercial mobile surveillance software from a non Apple-certified market (e.g. Cydia)

Mitigation

It is important to note that customers of Lacoon Mobile Security are alerted on any jailbreak attempt on an employee’s device.

Organizations should follow these general mitigation best-practices:

  • Employees should be instructed not to use the evai0n7 JB tool to jailbreak their devices
  • Employees should be instructed to be vigilant in regards to the physical security of their iOS devices as prevent the installation of evasi0n7 JB.
  • Detect the jailbreaking of employees’ devices. As mentioned, Lacoon MobileFortress detects devices jailbroken with evasi0n7 JB. Various MDM solutions are capable of detecting the jailbreak only when the MDM application is opened by the user. Since users do not always open their MDM application, employees should be encouraged to do so.

Technical Notes

We have tested this recent jailbreak on numerous iPhone devices running 7.x and we can confirm that it affects: iPhone 5s, 5c, 5, 4s, and 4.

Unfortunately, for now, Apple is remaining silent on the vulnerability details which are exploited by evasi0n7 JB.  For those looking for further technical details, you can find some of them here:

Update Dec. 28:  Commercial mobile surveillance software require a jailbreak in order to be installed on user devices. We’ve noticed that mSpy – one of these commercial mobile surveillance software, had already updated their website to include support for iOS7. As an anecdote, mSpy is also the top contributor for https://isios7jailbrokenyet.com/ – a crowd-funding open source effort towards an iOS7 jailbreak.