
Tethered Jailbreaks Are Back - dguido
https://blog.trailofbits.com/2019/09/27/tethered-jailbreaks-are-back/
======
HeWhoLurksLate
Yay!

I have fond memories of my friends (and eventually me, on the family iPad)
jailbreaking our devices and doing stuff with them.

A _lot_ of the things I saw from jailbreaks were incorporated into later iOS
updates- I'm curious (and excited!) to see what develops out of this wave.

~~~
jimmaswell
What's the point now that we have Android?

~~~
ladberg
So far, only iOS can run on iDevices, which means if you want to use Apple
hardware you have to use iOS.

~~~
jimmaswell
I hardly see any compelling reason to stick to Apple hardware.

~~~
14
Well it appears Apple are really working towards user privacy as their main
sell where android is locked in with Google Play services so though I do not
personally have a preference I do know why some people choose Apple devices.

~~~
jimmaswell
You can disable Google Play Services on a rooted Android. Besides I'm pretty
sure all baseband CPUs have backdoors the carriers can tap into at any time.

~~~
Accacin
I keep hearing this argument, but if I'm buying an Android device I'm still
supporting Google and Android. The thing is, I don't want to support them at
all.

------
jasonhansel
Honestly, if there's a real security risk, I'm surprised Apple hasn't recalled
the phones or offered to repair them. Unpatchable firmware flaws are (or
should be) no different from hardware flaws in this respect.

~~~
wklauss
> if there's a real security risk

There is, but it's not that great. You need physical access to the device and
it won't be persistent (a reboot will clean it).

~~~
dguido
It certainly will _feel_ persistent if you're successfully attacked with this
technique.

If your iOS software is swapped out for a version with a backdoor, then the
attacker will have collected your passwords and authentication tokens to
services you use. If you reboot to clear the backdoor (and let's be honest: no
one reboots their phones), then you won't also "clear" your attacker's memory
of all your passwords.

~~~
tptacek
I reboot my phone once in a blue moon, but my phone reboots itself roughly
every other day (usually because I space on charging it). Am I that unusual,
or is "the phone is rarely going to reboot" not really a reliable predicate
for attackers?

~~~
ladberg
I similarly reboot my phone rarely, but my phone never runs out of battery. I
never charge it during the day (except if I'm using it for GPS in my car), and
it's just a routine to charge it at night. I don't think my current phone,
which I've had for about a year, has ever run out of battery.

------
nerdbaggy
Interesting that the writers of this article are a company that sells a
library to help developers detect their app running on jailbroken devices.
[https://blog.trailofbits.com/2017/10/12/ios-jailbreak-
detect...](https://blog.trailofbits.com/2017/10/12/ios-jailbreak-detection-
toolkit-now-available/)

~~~
krackers
>library to help developers detect their app running on jailbroken devices

How does this work? I thought iOS apps are sandboxed to an extent where it
shouldn't be possible to snoop around to determine which processes are running
and such.

~~~
js2
A jailbroken device allows apps to do things that a non-jailbroken device does
not.

I maintain my company's in-house mobile app crash reporting system and I had
to remove jailbreak checks from our iOS SDK. It turned out that some of the
checks were causing crashes themselves due to buggy anti-jailbreak-detection
code some jailbroken devices had in place. e.g. checking whether a file could
be accessed that normally iOS disallows would end up causing a crash instead
of just a permission error.

Instead, I just do some basic server-side detection. Basically, looking for
libraries loaded into the app (e.g. cydia) that are only present on jailbroken
devices. Some jailbreaks don't even try to hide their presence.

I don't know what iVerify does. I hadn't heard of it before. I'm curious how
it avoids crashes though... perhaps it avoids invoking any dynamic system
calls.

~~~
Bnshsysjab
Out of interest, why do you care if your users run your application on a
jailbroken device? It’s been a question I’ve had for a while..

~~~
benbristow
Same reason as why rooted Android devices get blocked by certain applications.
Security for the user's sake. Usually it's financial applications (banking
etc.) and stuff with sensitive user information.

~~~
yjftsjthsd-h
As an Android user, this is super annoying: I rooted the device because I want
to control it. Now some stupid app comes along and claims that, for my own
protection (supposedly), they're going to break for me. It's insulting,
really.

------
js2
Prior discussion:

[https://news.ycombinator.com/item?id=21099996](https://news.ycombinator.com/item?id=21099996)

------
CalChris
I jailbroke my old iPhones but that was in an earlier less featureful iOS era.
I wonder what hackers will be able to provide such that I'd do it on an SE.
Curious now as much as I am skeptical.

~~~
jquery
All I wanted is a mirrored CarPlay option with a cursor for people who use a
joystick instead of a touchscreen. I know this exists in the jailbreaking
community (minus the cursor).

------
alecmg
> We strongly urge all journalists, activists, and politicians to upgrade to
> an iPhone that was released in the past two years with an A12 or higher CPU.

This makes no sense. The data of these VIPs is not in (more) danger due to
this new jailbreak appearing. It sounds like a cheap trick to make people buy
new phones.

~~~
gbuk2013
"checkm8 doesn't allow law enforcement to decrypt the phone, but it does allow
them to rootkit it with 30 seconds of unattended access. Once it's unlocked by
the user they'd get everything they need."

That sounds like something more than a little worrying to the listed groups of
people, no?

~~~
yjftsjthsd-h
So if the phone is out of your sight, reboot. And now you're clean again.

------
rodgerd
This will delight the one person in ten thousand who wants to jailbreak their
own phone, and the border police in Australia (mandatory scans of phone
required on demand), or China, or stalkerware retailers, or repair shops who
like to rat around on customers' phones.

Guess which will be the more common use?

~~~
heavyset_go
You can already assume that states are sitting on exploits that they've found
or bought, and that they can compel companies to provide some form of access
via NSLs or secret courts.

~~~
randyrand
only more advanced states.

~~~
heavyset_go
Nah, anyone with a pile of money can buy exploits and hire professionals to
discover them.

Kingdoms in the desert have had access to root certificates for almost a
decade now.

------
anfilt
If anything this should be a boon to users. It allows them fully to use their
devices they own. Honestly, it is inexcusable that apple makes users have to
hack their own devices. You should have the option similar to enabling or
disabling secure boot on your PC.

------
ryeights
Are there potential disadvantages involved with “demotion” to enable JTAG?
From what I understand the process is permanent (eFUSE?) but it seems like a
fun thing to play around with

~~~
ronsor
Jailbreaking is software based and doesn't actually void your warranty.
Demotion will.

------
dusted
Oh, here's a biz idea: build exploit into device, then when you've got
something better/stronger/faster to sell, you leak the exploit and let the
press urge people to buy your latest.

------
nallerooth
As I see it, the effect of this is twofold. While it's bad for (at least some
of) the iDevice users who carry sensitive data - it might also be just the
thing that makes those users buy a new device. I guess that would be a "good"
security issue in Apple's book.

And no, I'm not implying that Apple has designed this security flaw in order
to sell more devices.

