V. R. PANDYA ET AL.
Copyright © 2010 SciRes. JIS
76
able to choose whatever wireless service they prefer and
should not be forced to use a particular one.
There was another reason that some iPhone users be-
came irritated. Apple designed iPhone as a closed system
that does not allow installation of third-party applications.
Users can only access a very small subset of the file sys-
tem, a “sandbox” where they can add and remove music
and other files via iTunes. Users who wanted to install
third-party applications such as widgets and games were
unable to do so.
These two limitations placed on iPhone users promp-
ted a series of hack and attack efforts by iPhone enthuse-
asts and hackers. “Jailbreak” is an iPhone hack that per-
mits the addition of third-party applications or gadgets
on the iPhone by permitting read/write access to the root
file system. Without “jailbreaking” an iPhone, a cus-
tomer is limited to the factory-installed tools included
with it. “Unlock” is an attack on iPhone that allows it to
be used with any wireless service offering the GSM stan-
dard, not just AT & T. Without “unlocking” an iPhone,
one can only use AT&T’s wireless services. Perhaps
surprisingly, jailbreaking is the more important of the
two because it is the first step to unlocking. We look at a
jailbreak attack in detail and also discuss different
unlocking solutions.
Due to the commercial success of the iPhone, it makes
a good candidate for security analysis. Having close to a
million iPhones jailbroken and unlocked within first six
months of its release, iPhone security obviously has had
significant financial implications. In addition, with more
millions of users worldwide, any security holes in iPhone
can jeopardize the privacy of millions of people. We
believe that these issues make the security analysis of
iPhone a worthwhile and important topic.
3. Jailbreaking
The process of gaining root access to the iPhone so that
third party tools can be installed is called Jailbreaking [5].
Without gaining read-write access to the root system, one
cannot install third party applications. Note that this
limitation prevents users from doing what they want to
do with their iPhones—products that they own. This is
somewhat analogous to buying a computer and not being
allowed to install new programs on it. There are several
websites (see, for example, [6]) that provide interesting
gadgets and games for iPhone. Some of the most popular
games are iSolitaire, iZoo, Tetris, iPhysics, and NOIZ2SA.
Beyond providing access to such applications, jailbreak-
ing is essential for another reason: it is the first step in
unlocking.
Without jailbreaking, one cannot install the necessary
application to use a wireless service other than AT & T.
Close to a million new iPhones were not activated with
AT & T in the first six months after its release [1]. With-
out jailbreaking, these iPhone owners would not be able
to use the phone part of the iPhone unless they signed a
contract with AT & T after switching from their existing
GSM wireless service provider. Even for AT & T cus-
tomers, jailbreaking is still necessary to enable the addi-
tion of third party applications to the iPhone.
3.1. Looking for Ideas
Immediately after its release, iPhone enthusiasts and
hackers all around the world were looking for a way to
gain root access. A feasible solution has to be reasonably
easy to use and should not take several hours to complete.
Hackers investigated various techniques for meeting
these requirements. They evaluated existing hacks for
other phones and devices and searched for similar vul-
nerabilities in the iPhone [7,8].
A previous hacker success was using buffer overflow
techniques on the Sony PSP. By exploiting vulnerability
in the Tag Image File Format (TIFF) library, libtiff, used
for viewing TIFFs, hackers were able to hack PSP to run
homebrew games, which was otherwise prohibited [9].
Hackers inspected Apple’s MobileSafari web browser
to see if it could be targeted for the same vulnerability. It
turned out that for firmware version 1.1.1 of the iPhone,
MobileSafari uses a vulnerable version of libtiff [10,11].
The exploitable vulnerability in libtiff is documented as
entry CVE-2006-3459 in Commom Vulnerabilities and
Exposures, a database tracking information security vul-
nerabilities and exposures [10]. This vulnerability is also
documented and tracked in the U.S. National Vulnerabil-
ity Database [12]. A malicious TIFF file can be created
to include the desired rogue code. When attempting to
view the malicious tiff file in a vulnerable version of
MobileSafari, the vulnerabilities in libtiff are exploited to
create a stack buffer overflow, and the malicious code is
injected and executed.
3.2. Stack Buffer Overflow and Return-To-Libc
Attacks
The attack we review, which exploits the libtiff vulner-
ability, uses a stack buffer overflow to inject code and
the “return-to-libc” technique to execute it. To illustrate
how a stack buffer overflow can be created and how a
return-to-libc attack works, we first consider a generic
example.
Consider the piece of code below [13]:
void func (char *passedStr) {
char localStr[4]; // Note that only 4 bytes allo-
cated