'Chaos' iPhone X Attack Alleges Remote Jailbreak

A Chinese security researcher has published what he claims is a proof-of-concept exploit that would allow a remote attacker to jailbreak an iPhoneX, unbeknownst to the user – allowing them to gain access to a victim’s data, processing power and more.

Qixun Zhao of Qihoo 360 built the exploit, which he calls “Chaos,” around previously disclosed critical vulnerabilities in the Apple Safari web browser and iOS, which Apple patched this week with iOS version 12.1.3.

Phones running iOS 12.1.2 and earlier versions are still vulnerable to Chaos, which employs two security vulnerabilities that were first demonstrated at TianfuCup hacking contest last November: A memory corruption flaw in Apple’s Safari WebKit (CVE-2019-6227); and a use-after-free memory corruption issue in the iOS kernel (CVE-2019-6225).

The first vulnerability would allow a malefactor to create a malicious web page using the Safari browser, containing scripts for executing arbitrary code on a targeted device. Once that code is executed, an attacker can use the second flaw to gain elevated privileges and stealthily install a malicious application of his or her choice.

That application can be any kind of malware, built for eavesdropping or other espionage, ad fraud, premium SMS fraud, cryptomining or a raft of other nefarious activities, the researcher said.

The attack does of course have a social-engineering aspect; victims would need to be enticed to visit the malicious webpage via Safari on their iPhone Xs.

While the researcher published a PoC video, he has opted not to publish the jailbreak code itself, given the potentially large attack surface.

“I will not release the exploit code, if you want to jailbreak, you will need to complete the exploit code yourself or wait for the jailbreak community’s release,” he said in a technical write-up of the exploit on Wednesday. “At the same time, I will not mention the exploit details of the post exploit, as this is handled by the jailbreak community.”

Interestingly, the news comes shortly after exploit acquisition vendor Zerodium said that it is upping its payouts for full, working exploits across its entire program. Apple attacks fetch the highest price: It’s now paying $2 million for remote iOS jailbreaks.

Threatpost has reached out to Apple and will update this story with any comment.