Drive-by iOS jailbreak sparks security concerns

Posted by STARR KESHET

The recently launched JailBreakMe website allows users to easily crack a variety of mobile Apple devices. However, the drive-by patch has also sparked serious concern amongst numerous security researchers.

For example, Graham Cluely of Sophos warns that JailBreakMe is not just a headache for Apple, but likely portends future attacks by malicious elements.

"Previously, jailbreaking has required users to connect their device to a computer before they can start to tamper with the set-up of their iPhone or iPad and gain access to the Cydia underground app store.

"The drive-by jailbreak is possible because the website exploits a vulnerability in the way that the mobile edition of Safari (the default browser used in the iOS operating system) handles PDF files - specifically its handling of fonts."

"[So], if simply visiting a website with your iPhone can cause it to be jailbroken - just imagine what else could hackers do by exploiting this vulnerability? 



"[Clearly], Cybercriminals would be able to create booby-trapped webpages that could - if visited by an unsuspecting iPhone, iPod Touch or iPad owner - run code on visiting devices without the user's permission."

Meanwhile, the German government has issued an official warning over "two critical weak [iOS] points for which no patch exists."

According to the Federal Office for Information Security, a manipulated website or PDF file could allow cybercriminals to spy on passwords, planners and emails.

As such, the Office recommends users avoid opening untrusted PDF files and websites.