Recommended + Security News

iOS 9 Can Now Finally Be Remotely Jailbroken — but YOU Can’t Do It

Posted on November 2nd, 2015 by

iOS 9 remotely jailbroken

Bad news iOS 9 users. Someone has developed a way of jailbreaking your iPhone or iPad and spying on you, in a way that is currently unstoppable.

And don't for a second think that someone isn't going to be hit by the attack — because huge amounts of money have already been spent discovering how to do it.

Last month we told you how a group of Chinese hackers had found a way to jailbreak devices running iOS 9, opening the door for those who want to install unapproved apps onto iPhones and iPads.

There was, however, one big problem with Pangu Team's jailbreak — it required physical access to the device that you wanted to break into.

Now, that probably wasn't a problem if you wanted to jailbreak your own iPhone or iPad, but imagine if you were an intelligence agency with a keen interest in spying on someone's activity and communications without their knowledge. Requiring physical access to your target's device dramatically reduces the chances of successful snooping.

Well, if you are in the business of state-sponsored espionage you need fear no more. Vulnerability researchers have now developed a method of remotely jailbreaking the latest version of iOS.

Yes, just last month controversial vulnerability broker Zerodium announced that it was stumping up a one million dollar bounty for anyone who could provide them with a browser-based, untethered jailbreak for iOS 9 — and it seems someone has now achieved it.

If what Zerodium says is true, then it's now possible to jailbreak an iPhone running iOS 9 by simply tricking it into visiting a webpage hosting a zero-day exploit or sending it a boobytrapped SMS message.

The twist is, of course, that unless you have a large amount of money burning a hole in your pocket, Zerodium isn't going to let you have details of the jailbreak. In fact, it's perfectly possible that they won't make it available to Apple either — which means that our chances of getting a rapid fix to the vulnerability currently remain low.

Instead, Zerodium will be looking to claw back some of the hefty amount of cash it will have paid for the vulnerability, by selling it to those who have the desire and means to pay a large amount of money — such as intelligence agencies that would quite like to use it to the spy on targets such as foreign politicians, and military contractors.

And, of course, it's highly unlikely that anyone paying for the vulnerability will be keen to release details of the zero-day flaw publicly, potentially tipping off foreign states and intended targets to the surveillance danger.

In an interview with Wired, Zerodium's founder Chaouki Bekrar said that two teams had separately attempted to claim the iOS 9 jailbreak bounty, but one had only been partially successful with its exploit.

My guess is that even Apple — with the huge amount of money at its disposal — won't be keen to be bent over a barrel by vulnerability broker firms like Zerodium, and so the vulnerability won't be shared with the one group of developers that might be able to do everyone with an iOS device a favour, and provide an official patch.

The one silver lining, at least for now, is that because of the high expense of the new jailbreaking exploit it is unlikely to be used in a widespread attack — instead, whoever stumps up the cash is likely to use it in very targeted situations, hoping that the jailbreak doesn't leak into the wild, dramatically reducing its potency in future hacks.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • Gen. Chang

    Sorry Graham,I disagree. Some criminal enterprise will see dollar signs in hacking lots of iPhone holders with big bank accounts. Or information that they could sell to the highest bidder. They will have a field day with this,and Apples arrogant attitude will only prolong this massive vulnerability. I can hardly wait for the fanbois to start their delusional defense of Apple. They are really good at denying reality.

  • Bill Cole

    So that’s what, 5% of iOS users who are vulnerable? Maybe 10%? Chrome is currently shown in 50th place among free apps on the App Store, behind 7 other Google apps and Google doesn’t offer any share numbers less than 2 years old, but the StatCounter public numbers (which don’t break out browser & OS combinations) show that Safari handles >92% of iOS web browsing.

    If a vulnerability depends on a 3rd-party app that is used by a tiny minority of users, is it really fair to talk about it as a platform-level vulnerability?

    • burpfart

      Zerodium didn’t share whether or not the root exploit is performed through a 3rd party app, through a SMS/MMS, or through the safari browser. Because of the way that Apple secures it’s mobile ecosystem however, it is incredibly unlikely that the exploit would work through just Chrome and not also Safari. Since alternative browsers in iOS use the same mobile WebKit service to load pages, chances are that any browser exploits will work regardless if the browser you’re using. For example, JailbreakMe 3.0 worked using an error in Safari’s PDF loading system and if Apple allowed 3rd party browsers at the time, it would have worked in them too.

  • Dave Wall

    Interesting article thanks for sharing. This leaves me wondering about the legality of this competition from Zerodium and Apples potential reaction to it.

    Effectively Zerodium have staked big money to besmirch Apples’ security reputation. Which would be fine if they were going to share this with Apple, even if they were going to charge them a reasonable fee for doing so, covering their costs and profit margin. Instead they are going to sell to the highest bidder or have I misread??? Due to the nature of the vulnerability it’s unlikely that someone would put this to altruistic use. If this is ok to do where do you draw the line? Put out a competition for hacking a countries power infrastructure?

    In times when people go to jail because they write something inflammatory (potentially inciting a riot in London for instance) on facebook, that Zerodium would be allowed to publicly encourage this I find strange. If the vulnerability does leak, and you know there will be a lot of smart people looking for it now that they believe that it exists, will Zerodium be held accountable? There is also a good chance that the hackers (responsible people that I am sure they are) maybe tempted for a double pay day, and there is nothing to stop them using it themselves or selling it on to the kind of people that General Chang mentions in his comment.

    I’d be really interested in your opinion about this, as this sort of unethical hacking by proxy, will no doubt become more popular?