Browser-based iOS 'jailbreak' utilizes 'scary' PDF security hole

By Slash Lane

The latest browser-based "jailbreak" for iOS devices, including the iPhone 4, utilizes a PDF exploit that one prominent security expert called both "scary" and "very beautiful work."

Sean Sullivan, security advisor with F-Secure Corporation, revealed on Tuesday the technical details of the jailbreak process, which is done entirely in the Mobile Safari browser. The jailbreakme.com site includes 20 separate PDFs for different combinations of hardware and firmware.

The same PDF files rely on a corrupt font, and crash the Safari browser's Compact Font Format handler.

Sullivan also linked to comments made via Twitter by security researcher Charlie Miller, who was also analyzing the code behind the browser-based jailbreak.

"Very beautiful work," Miller wrote. "Scary how it totally defeats Apple's security architecture."

While the jailbreakme.com URL itself is not intended for malicious purposes, the PDF exploit it uses could be utilized by hackers to more nefarious ends. Miller said that with this method, a hacker does not need physical access to an iPhone, iPod touch or iPad -- they just simply need to have the user visit a vulnerable website.

Last year, Miller exposed a dangerous SMS exploit that could allow a hacker to remotely control an iPhone. He notified Apple of the flaw, and the company quickly released a patch to plug the exploit.

Apple is likely to quickly act once again and plug the vulnerability that affects all iOS devices -- all models of the iPhone, iPod touch and iPad. When that happens, hackers who want to jailbreak iOS devices to run unauthorized code and operating system modifications blocked by Apple will have to find another method.

The member of the iPhone Dev Team who goes by the handle "comex" said this week that he has other potential exploits he will look to when Apple inevitably patches the PDF flaw.

"Maybe I'll rely on USB based stuff for the next jailbreak so that Apple won't patch it so fast," he said.

Ironically, jailbreakers have already developed a workaround solution that can help users avoid being hacked through the PDF exploit. Developer Will Strafach on Tuesday released an application available on the jailbroken Cydia store that will warn users when a Mobile Safari page is loading a PDF file. The solution does not patch the hole, but helps to prevent users from visiting sites with all PDF files to avoid the exploit.