A jailbreak tool for iOS 7.1 has been released, but be careful about using it on your iPhone or iPad. The tool, called Pangu, comes from a band of Chinese hackers who seem to have swiped software and a digital authentication certificate from other parties.
One security firm warns that the tool could also be used to infect iPhones with malware, adding that although Pangu is a "tethered" jailbreak that requires a USB connection to a computer, it could be modified to work independently.
The Pangu developers themselves warn users not to download the tool from any website other than their own, as third-party versions infected with Windows malware have already begun to appear.
Jailbreaking overrides iOS' built-in restrictions, letting users add features or software unauthorized by Apple. It also demolishes iOS' security protections, opening up a device to malware infection. iOS malware found outside research labs has affected only jailbroken devices.
Pangu seems to be the first working jailbreak for iOS 7.1, which was pushed out in mid-March; small tweaks in mid-April bumped the current version up to 7.1.1. The jailbreak will work on all devices capable of running either iOS version, including the iPhone 4 and later, iPad 2 and later and the current iPod Touch. (Another jailbreak tool, geeksn0w, works on an iPhone 4 running iOS 7.1.)
Pangu can be downloaded from the developers' Chinese-language website to a Mac or PC; English-language instructions were posted on Reddit soon after the tool appeared earlier this week.
Something borrowed, something possibly stolen
On the Pangu website, the tool's developers thank "i0n1c," the Twitter handle used by German security researcher Stefan Esser, who teaches iOS hacking seminars but asks students not to share his vulnerability exploits with the public.
"The Chinese criminals behind Pangu took several infoleaks from our iOS training and resold them to Chinese companies," Esser tweeted earlier today (June 26). "They directly link my code that I give to trainees in the jailbreak. Have fun trusting your iPhone to these lowlifes."
Using Esser's exploits without his permission may be immoral, but probably not illegal. That may not be the case with the enterprise-authentication certificate Pangu "borrows" in order to install itself on any iOS device.
Non-jailbroken iOS devices install only apps "signed" with a certificate of authentication granted by Apple, which normally means the app has passed Apple's review and been admitted to the iTunes Store.
Under certain circumstances, Apple distributes iOS certificates of authentication for third-party use. Registered iOS developers get iOS certificates to test software; businesses and other large organizations get them to install in-house apps on workplace iOS devices.
Each developer iOS certificate can be used to install software only 100 times, but each enterprise certificate is for unlimited use. (Apple has the power to revoke certificates.) According to a blog posting yesterday (June 25) by San Francisco-based firm Lacoon Mobile Security, Pangu appears to be using an enterprise certificate issued to a "Hefei Bo Fang Communication Technology Co., Ltd."
The risks of unknown sources
"Pangu should concern us — the security community, enterprises and consumers alike," Lacoon's Ohad Bobrov wrote. "Pangu represents a major technology leap, ultimately lowering the barrier for attackers to create sophisticated mobile-targeted attacks."
Bobrov admitted that an "attacker" would need physical access to an iPhone to install Pangu, but added, perhaps hyperbolically, that "the fact that Pangu is bundled as an app is a first step in enabling attackers to develop a jailbroken tool that works remotely.
"In these remote scenarios, attackers can lure users to download an app within a phishing email or as a link to a site," Bobrov said. "A user falling for the scam will install that app without ever knowing that running the app has actually led to the jailbreaking of their device."
That's certainly possible, but it's worth noting that the last time an iPhone could be jailbroken simply by visiting a certain website, no malware took advantage of it.
More dangerous is the fact that users of Pangu need to download rather large executable files — i.e., applications — to their PCs or Macs in order to jailbreak their iPhones or iPads. That's a perfect way to infect not the iDevice, but the computer.
The Pangu developers themselves mentioned this threat on their Weibo (Chinese Twitter) account yesterday. They cited a warning from Chinese antivirus firm Qihoo 360 that Pangu downloads offered by third-party sites had been infected with nasty Windows malware, some of which wrote to a PC's master boot record or caused data loss.
Reddit users who examined the software downloaded directly from the Pangu site found no malware, but did advise users to uncheck the option for the PP app store, a Chinese repository of pirated apps for jailbroken iOS devices. (Update: A separate Reddit thread discusses and solves a Pangu issue with the light sensor on certain models of iPhone.)
Even if the Pangu developers themselves are benign, the lack of control regarding jailbreaks coming from little-known sources only lends credence to Esser's bitter rejoinder to his Twitter followers earlier today.
"I wish every one of my followers who installed Pangu much fun with malware from China :P," he wrote.