A new jailbreak add-on (aptly named Antid0te) is being developed by Stefan Esser, an independent security consultant dedicated to making systems more secure. It’s designed to patch holes left open by Apple, and add “ASLR” (address space layout randomization) to make exploiting the OS much, much more difficult. At the Pwn2Own competition earlier this year, the iPhone was compromised in just 20 seconds, revealing the user’s SMS messages to the hacker. Some holes, like the one used by the new Jailbreakme, were even patched by members of the community long before Apple could release an update. Esser believes that this isn’t good enough, and that vulnerabilities should be patched sooner.
This year has brought bad news for the security of the iPhone. First it was demonstrated during the PWN2OWN contest that ROP payloads can steal information like the SMS database from factory iPhones and later this year jailbreakme.com combined multiple exploits for vulnerabilities in MobileSafari, the iOS kernel and the userland to jailbreak the device from remote. And for jailbroken devices the situation is even worse because the jailbreak weakens the otherwise strong security features of the iPhone in a way that remote exploits are far easier to accomplish.
However it is time to remember that the whole purpose of a jailbreak is to free the device from Apple and to allow users to do whatever they want with their device. The fact that current jailbreaks destroy the security is just because jailbreakers did not bother to find a better solution. This changes now.
In this session the differences in exploiting jailbroken and factory iPhones will be highlighted and it will be explained step by step how a new tool was developed that adds ASLR (address space layout randomization) to jailbroken iPhones. With ASLR an exploit mitigation is added that is not available in factory iPhones and makes exploitation more difficult. And this is only the first step, more mitigations and a full reactivation of the codesigning protection are planed for the next months.
Antid0te will be available as a plugin for existing jailbreaks, and if Esser starts a trend securing devices at the time of jailbreak, it may be integrated into current and future tools, making jailbroken devices far more secure than their “Walled Garden” counterparts.