It is hard to imagine that hacker can jailbreaks Apple iphone device over the air! Oh, a national level of action task can do anything! No need to mention this news too much. You can find out the details when you do a google search, right? OK, we discuss those vulnerabilities into a little bit details. There are total no. of three vulnerabilities found by security experts (CVE details shown as below):
CVE 2016-4657: WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
CVE 2016-4656: The kernel in Apple iOS before 9.3.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
CVE 2016-4655: The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.
Surprise, it jailbreak the iPhone over the air!
Step 1. Hacker lure the victim execute a click on SMS, a automatic redirect action engaged and forward iPhone to web site (sms.webadv.co) and download the payload immediately.The objective is going to delivery WebKit applications vulnerability.
Attacking WebKit Applications by exploiting memory corruption bugs:
Every WebKit object is RefCountedBase object
Mobile Safari and most of WebKit Apps leak address – Fill in another object and use the JS pointer of the old object to read information of the new object
Step 2.1: CVE-2016-4656 (Kernel Information Leak Circumvents KASLR)
It is the most difficult part because Kernel Address Space Layout Randomization
(KASLR) mapping the kernel into different and unpredictable locations in memory. The attacker has found a way to locate the kernel by using a function call leaks the kernel’s actual memory location to be mapped. For instance, it is possible to leak information about memory layout using format string vulnerabilities.
Remark: format string exploits can be used to crash a program or to execute harmful code
Step 2.2: CVE 2016-4657 (Memory Corruption in Kernel leads to Jailbreak)
Observation – Why was apple only release the patch can fix this design bug?
Predict that Apple added their own privilege checks in the kernel; only processes which pass these checks are allowed to use JIT.
Is that mean the national security agency can export the data from iphone? There is no need to request escrow key from Apple?
Since above flaws let mobile phone compromised. Hacker can remote control the phone for recording voice call, take photo shot send to their end. The personal data inside iphone is available to export. From technical point of view, there is no need to request escrow key! See how important of the overall design? Although the crypto mechanism integrate to hardware mitigate the risk, however a flaw such a way crack down the Apple protection wall!