For the first time in years, hackers have created a working exploit that can jailbreak the latest, fully-updated version of iOS.
And a goof by Apple has allowed them do it.
The result? Millions of Apple iPhone and iPad users who thought they were doing the right thing by updating their devices to iOS 12.4 are at an increased risk of being successfully attacked by hackers through the vulnerability.
Normally iPhones and iPads running the latest version of iOS are locked down, preventing users from installing code that has not been scrutinised by Apple’s security team and reducing the chances of malware infiltrating devices.
But a jailbroken iPhone or iPad opens doors for unauthorised and pirated iOS apps to be installed, which may be boobytrapped to spy upon your communications or even – potentially – hold your data to ransom.
Normally the source code for a jailbreak exploit is not made publicly available before Apple has pushed out a security update to prevent it from working.
In this case, however, things have definitely not gone to plan.
The story starts in March, when researcher Ned Williamson uncovered a security hole in iOS. However, he didn’t make details of the vulnerability public until after Apple had issued a patch – in the form of iOS 12.2 – in May.
That, most of us would have thought, would have been the end of the matter. However, somehow Apple managed to undo its patch when it released iOS 12.4 in late July.
iOS 12.4, if you recall, was an important security update for Apple’s mobile operating system because it fixed a critical vulnerability that could allow a remote attacker to attack an iPhone just by sending a maliciously-crafted iMessage.
Now we learn that although Apple successfully closed one critical security hole in iOS 12.4, it unwittingly reopened an old one.
A security researcher by the name of Pwn20wnd has publicly released a jailbreak that exploits the bug that came back from the dead.
An obvious fear is that organised criminal gangs and state-sponsored hackers might attempt to exploit the vulnerability to launch attacks, steal data, and spy on persons of interest.
Pwn20wnd told Motherboard that “it is very likely that someone is already exploiting this bug for bad purposes.”
No doubt Apple is working feverishly to fix the vulnerability once and for all and investigate how it could have made the mistake of reopening an on old security hole that everyone thought had already been patched.
When Apple does release an update to iOS, make sure to install it as soon as possible – and let’s hope they don’t break anything else in the process.