There’s a lot going on in the jailbreak community as of right now. Not only is the checkra1n team actively attempting to jailbreak iOS & iPadOS 14 on many more devices, but hacker and security researcher @08Tc3wBB may also soon share details about an exploit viable for jailbreaking iOS & iPadOS 13.7 (the last versions of Apple’s previous-generation mobile operating systems).
If you find yourself more interested in the latter tidbit, which is likely the case if you stayed on the lowest possible firmware after iOS & iPadOS 14 got released, then you might be ecstatic to learn that @08Tc3wBB will present his latest research with security group ZecOps at the Black Hat Europe 2020 event.
Vague details about the scheduled presentation are available on the Black Hat Europe 2020 website. There, we learn that the event will be entirely virtual and transpire from Monday, December 7th to Thursday, December 10th. Furthermore, the presentation is expected to last approximately 40 minutes. Here are the official notes regarding the presentation:
Jailbreaking refers to obtaining the kernel privilege of iOS, by means of the development of vulnerabilities. Usually, at least one kernel vulnerability is used. By overwriting the sensitive data structure in the kernel, the jailbreaker could run unauthorized code on the device without restrictions. It could then be used for performing code injection and data interception upon any process on the device. Thus, sometimes, a jailbreaker may not be the owner of the device, but an intruder who wants to steal or manipulate information, and that includes spreading misinformation.
This talk will cover in detail how a series of iOS vulnerabilities are exploited to achieve Jailbreak on iOS 13.7. I’ll be talking about their root cause, techniques used during the exploit development to bypass the mitigations that are unique to iOS, ultimately get the privilege of reading and writing kernel memory and demonstrate the potential malicious impact of the attack. The rest of my talk will be related to how these vulnerabilities were discovered, tips for reverse engineering. As an independent researcher, I hope to give some inspiration to the audience.
From what we can gather, the talk should divulge fundamental information about the vulnerabilities used to jailbreak iOS 13.7. Not only will it talk about using these vulnerabilities for jailbreaking, but it will also discuss how they could be used for malicious intent. @08Tc3wBB will also go into detail about how the vulnerabilities were found and hopes to spark interest to get more people involved with security research.
We know from previous comments made by @08Tc3wBB that the exploit used will be shared with unc0ver lead developer Pwn20wnd after it is patched by Apple. Moreover, a full writeup about the exploit will be published to the ZecOps website later on, which should open the door for other jailbreak developers to get their hands dirty with it (perhaps the Odyssey Team?)
To be perfectly clear, this is a tfp0 exploit, which Apple can patch with a software update. This contrasts to the hardware-based checkm8 bootrom exploit, which Apple can’t patch with a software update. A tfp0 exploit essentially translates to a kernel task port that permits writing to the kernel memory, and as such, it’s easy to see why this makes jailbreaking possible.
Although Black Hat Europe 2020 is still two months away, it’s still nice to have something to look forward to. Not only is it exciting to think that another exploit could boost the jailbreak community at some point in the near future, but it’s also amazing to see and learn from the very security researchers that manage to pull these types of things off year after year. For that reason, this is something you won’t want to miss.
Are you excited that @08Tc3wBB and ZecOps will soon present their findings? Share your thoughts in the comments section below.