Jailbreak iPhone, iPod Touch, iPad

There is a big a security hole in iPhone iOS. The device is insecure in a big and obvious way. You should be extremely careful of what sites you visit.

The FlateDecode vulnerability can be used when a PDF File is embedded within a Web page. Basically Safari tries to parse the PDF. And when it does it executes some code. Hackers can use this exploit to read and write iPhone data, get your contacts, sms, even delete something. So they can get all kinds to access your personal information stored on your iOS device.

Apple will fix it some day. Until then you need to take care of your iPhone security. There is a fix for that. It is available via Cydia for jailbroken devices. So you need to jailbreak in order to secure (funny isn’t it?).

Will Strafach has released the fix as a Cydia-based package called “PDF Loading Warner.” Simply download and install the package. Every time Mobile Safari attempts to download and parse a PDF you will get the following message:

Now you can control, where to accept PDF (as not all of them are made by hackers) and where to select cancel.

Recently Vupen, which is a French security firm, posted an advisory that contained information about two critical security vulnerabilities in Apple’s iOS. After a while hacker comex used these flaws to create a jailbreak, which is now widely known and available on JailbreakMe.com.

But according to Reuters, yesterday Apple decided to react and its spokeswoman Natalie Harrison revealed that the company is currently investigating Vupen’s advisory. So it looks like these exploits are going to be fixed soon!

Starting today every owner of iPad, iPhone or iPod can easily jailbreak his device via browser on http://jailbreakme.com/

The site was created in a week after decision of the Library of Congress (that operates the Copyright Office), which states that jailbreaking isn’t illegal, though Apple claims it actually represents a threat to the stability and security of the company’s devices. Apple also says that jailbreaking voids the warranty, but such an action can be easily undone by resetting a device to the default factory settings.

Site JailbreakMe.com easily became a trending topic in Twitter after its announcement on RedmondPie.com. The jailbreak itself was created by hacker comex, and the website was done by chpwn and westbaer.

Recently MuscleNerd, the member of DevTeam, reported the presence of an interesting security bug in Safari for the iPhone. It will probably allow a quick remote jailbreak of iPhone or iPod Touch simply by connecting the device to an external website created for this purpose.

The bug was discovered by two hackers Ralph Phillip and Vincenzo Iozzo, who won the prize of $15 000 during CanSecWest. Their initial idea was to use a web portal to do the exploit of the SMS database and retrieve it’s content.

It looks like Apple has started banning iPhone hackers from the iTunes App Store.

A few day ago Sherif Hashim, the iPhone developer and hacker, tweeted that he had found an exploit in the latest iPhone OS 3.1.3, which could enable the unlock on 05.12.01 baseband for iPhone 3GS and iPhone 3G. Yesterday he has been banned by Apple for the so called “security reasons”. It seems that Apple is quite angry! Here is what Sherif gets when he tries to access App Store from his iPhone:

Sherif Hashim’s Tweets:

“Your Apple ID was banned for security reasons”, that’s what i get when i try to go to the app store, they must be really angry ))))

and guess what my apple ID was, “sherif_hashim@yahoo.com”, what a fool was me not to notice )), can’t help laughing, they are babies ))

Another iPhone hacker named iH8sn0w, the developer of Sn0wbreeze (PwnageTool alternative for Windows), tweeted saying he was also banned by Apple right after he released an exploit known as XEMN:

@sherif_hashim lol, they did that to my ih8sn0wyday[@t]googmail.com too. (right after I posted XEMN)…

For now Apple isn’t banning Jailbreakers – they’re banning people who actively work to find exploits in the iPhone software to create Jailbreaks for the rest of us.

Apple has just released new firmware 3.1.3 (7E18) for iPhone 3GS, iPhone 3G, iPhone 2G, iPod touch, iPod touch 2G and iPod touch 3G.

The update includes:

• Improves accuracy of reported battery level on iPhone 3GS
• Resolves issue where third-party apps would not launch in some instances
• Fixes bug that may cause an app to crash when using the Japanese Kana keyboard
• Other security updates (more info)

So this is a minor update, which fixing only the accuracy of the 3GS battery meter and the stability of some third-party app launches. This update is avaliable via iTunes.

New firmware 3.1.3 also introduces a new version of the baseband, the 05.12.01. So if you need unlock do not update! DevTeam also warns us:

If you care about your jailbreak and unlock, don’t update your device – 3G and 3G(S) owners should pay particular attention to this warning.
PwnageTool and redsn0w are not yet compatible with 3.1.3

Experimenters show that the latest version of redsn0w 0.9.2 is able to jailbreak iPhone 2G, iPhone 3G and iPod touch 1G. Just point it at the 3.1.2 IPSW (download here) after doing update or restore to firmware 3.1.3. Sounds like DevTeam will release an updated version of redsn0w that will handle firmware 3.1.3 officially. They say iPod touch 2G with firmware 3.1.3 is also jailbreakable.

Users report that unlock software, blacksn0w and ultrasn0w, doesn;t work with the new baseband.

A second iPhone worm virus has been found by security company F-Secure. It is specifically targeting people in the Netherlands who are using their iPhones for internet banking with Dutch online bank ING.

It redirects the bank’s customers to a site with a log-in screen (phishing). The worm attacks “jailbroken” phones – a modification which enables the user to run non-Apple approved software on their handset. Only handsets with installed SSH (secure shell) are at risk. SSH is a file-transfer program that enables users to remotely connect to their phones. It comes with a default password, ‘alpine’ which should be changed.

Here is a tutorial how to change the default SSH password and minimize the risk.

The iPhone 2.1 is out. It contains the following updates as listed by Apple:

- decrease in call set-up failures andcall drops
- significantly improve battery life for most users
- dramatically reduced time to backup to iTunes
- improve email reliability, notable fetching email from POP and Exchange accounts
- faster installation of 3rd party applications
- fixed bugs causing hangs and crashes if you have lots of 3rd party applications
- improved performance of text messaging
- faster loading and searching of contacts
- improved accuracy of the 3G signal strength display
- repeat alert up to two additional times for incoming text messages
- option to wipe data after ten failed passcode attempts
- Genius playlist creation

The 2.1 firmware is build 5F136 (weighing in at 237.8MB) and can be directly downloaded through iTunes. The new firmware also contains a number of security fixes including the well publicized passcode flaw.

Jailbreak for 2.1 is not avaliable yet.