i0n1c’s Jailbreak Hardware and iOS Kernel Exploitation Paper Revealed
Stefan Esser, aka @i0n1c became famous worldwide with his contribution to the untethered iOS 4.3.1 jailbreak. Stefan took the time to exploit iOS, and passed on his findings to the iPhone Dev Team to implement it into their existing jailbreak tools.
Now, @i0n1c has revealed his jailbreak hardware used exploit iOS in his detailed paper titled, iOS Kernel Exploitation. This was a presentation he gave at the recent 2011 Blackhat Security Conference, that took place from July 30 – August 4th in Las Vegas. Here is his briefing description:
The iPhone user land is locked down very tightly by kernel level protections. Therefore any sophisticated attack has to include a kernel exploit in order to completely compromise the device. Because of this our previous session titled “Targeting the iOS Kernel” already discussed how to reverse the iOS kernel in order to find kernel security vulnerabilities. Exploitation of iOS kernel vulnerabilities has not been discussed yet.
This session will introduce the audience to kernel level exploitation of iPhones. With the help of previously disclosed kernel vulnerabilities the exploitation of uninitialized kernel variables, kernel stack buffer overflows, out of bound writes and kernel heap buffer overflows will be discussed.
Furthermore the kernel patches applied by iPhone jailbreaks will be discussed in order to understand how certain security features are deactivated. A tool will be released that allows to selectively de-activate some of these kernel patches for more realistic exploit tests.
Within his presentation Stefan shared the hardware he used to exploit iOS, consisting of a resistor, two mini USB-B to USB-A cables, a breakout board (USB to Serial), and PodGizmo connector. Check it out below:
If you want the technical details, you read the entire 97 page PDF paper here. It’s detailed, and is above what I can comprehend and understand. All I know is this is some impressive work done by Esser.