Over the weekend, German security wiz i0n1c posted a snap demonstrating an iOS 7.1.1 untethered jailbreak, and whilst it seems less than likely that a public release is on the cards any time soon, it’s certainly an intriguing and exciting inroad in the battle against Apple’s own security team.
i0n1c – real name Stefan Esser – is a prolific member of the jailbreak community, and has almost single-handedly jailbroken several editions of iOS in the past. And now, i0n1c’s work has stepped things up a notch, with the more recent, A6-running iPhone 5c having been jailbroken using a single kernel exploit on iOS 7.1.1, and after showing off his work by means of Twitter, he has now offered some details on how it’s all done.
Most untethered jailbreaks comprise a series of exploits ranging from kernel to userland, and a combination of these different keys allows a bunch of doors to be opened sequentially and reach the promised land of a jailbreak. But in this case, the technique pertaining to the specific kernel bug in question is hidden within iOS’s functionality, and as such, is said to be easily repeatable. By essentially recycling this ubiquitous exploit technique, i0n1c was able to jailbreak the iPhone 5c running iOS 7.1.1.
i0n1c elaborates, noting that the kernel exploit can "easily reached even from within the iOS application sandbox," and as such,"the exploit code can be used to break out of any application that you exploit." Of all the post-iOS 4 jailbreaks, only Comex’s JailbreakMe 3.0 and the more recent p0sixspwn jailbreaks have been able to do this, and with iOS 8 on the horizon, this a very encouraging bit of progress.
The most promising tidbit of info to take away from i0n1c’s explanation, however, is that the exploit is apparently very easy to deliver, and we could be in line for a partial demonstration clip of how it all works in the next couple of weeks.
Potential initial injection vectors for such an exploit are:
exploit against an internal app like MobileSafari
exploit against any vulnerable app from the AppStore
exploit from within a developer/enterprise app
Considering that there is no month without some Safari/WebKit vulnerability becoming public and that many AppStore applications are linking against old and vulnerable libraries it is therefore quite easy to deliver this exploit. Especially because applications downloaded from the AppStore and put into a backup do not go away and can be re-exploited in the future. We will show this within the next few weeks.
i0n1c is often abused by jailbreak fans for not releasing jailbreaks on tap, but his work has been pivotal to end-user jailbreaking tools of the past. His SektionEins company initially discussed the posix_spawn vulnerability that eventually spawned the p0sixspwn jailbreak tool, so even though we can understand your eagerness to jailbreak your iOS device, please refrain from pushing any negativity in the direction of those who make these things possible in the first place.