The iOS jailbreaking community is, I personally believe, the most active mobile OS hacking community today. The community itself is pretty small, but they are pretty productive and regularly release jailbreaks (untethered or otherwise), exciting new tweaks on Cydia and amazing themes. This may be due to the fact that iOS works only on a handful of devices, but the fact is: these guys are simply amazing.
One such hacker is i0n1c who, today, released an amazing presentation on iOS Kernel Exploitation. Read more about it, after the jump.
For the uninitiated, Stefen “i0n1c” Esser is a security researcher from Germany. He is famous among the jailbreaking community for having found the exploit to jailbreak iOS 4.3.1 untethered. This exploit was used for jailbreaking iOS 4.3.2 and 4.3.3 (JailbreakMe used another exploit) but it was patched by Apple in iOS 4.3.5 and the upcoming iOS 5.
The presentation released today (which was given by i0n1c at Blackhat Security Conference in August) is 97-pages long and consists of a lot of highly technical details that goes beyond the understanding of your average Joe as i0n1c talks about stack buffer overflows and heap buffer overflows which are used to exploit the kernel (the component of iOS which acts as a bridge between software and the hardware) and ultimately, how this exploit is used to jailbreak the device.
Here is a brief description of what to expect from the entire presentation:
The iPhone user land is locked down very tightly by kernel level protections. Therefore any sophisticated attack has to include a kernel exploit in order to completely compromise the device. Because of this our previous session titled “Targeting the iOS Kernel” already discussed how to reverse the iOS kernel in order to find kernel security vulnerabilities. Exploitation of iOS kernel vulnerabilities has not been discussed yet.
This session will introduce the audience to kernel level exploitation of iPhones. With the help of previously disclosed kernel vulnerabilities the exploitation of uninitialized kernel variables, kernel stack buffer overflows, out of bound writes and kernel heap buffer overflows will be discussed.
The most interesting thing I personally found inside the presentation is the hardware that i0n1c used to find the kernel exploits: a 470kΩ resistor, 2 mini-USB-B to USB-A cables, a breakout USB to Serial board and a PodGizmo connector which are connected as shown above.
If you’re interested in iOS development and have some knowledge of how jailbreaking works, you might want to give i0n1c’s presentation a read.
Download i0n1c’s iOS Kernel Exploitation Presentation [DIRECT LINK]