Mathew Solnik and Marc Blanchou have made a video to prove that an iOS jailbreak it is possible even over-the-air (OTA), using an internet connection and not a physical one for the Apple device. Through a GPRS connection the two were able to exploit Apple’s operating system (iOS) to run an unsigned code thus jailbreaking the device.
The jailbreak procedure itself is quite extensive, because the internet connection was poor, using two payloads to get administrator access to the operating system iOS. Until now, two free jailbreak solutions were based on similar exploits, one being launched by Steve Wozniak for iPhone 2G and the second being released by @comex for iOS 5.x.
Overcoming the Baseband
In the video Mark Blanchou and Mathew Solnik demonstrated an attack at Black Hat by using the embedded over-the-air management interfaces, which are used by wireless carriers, to undertake carrier-pushed configuration updates. They successfully gained root access to some Android phones as well as BlackBerry phones, plus the Sprint configuration of a few iOS devices. HTC One M7 and the BlackBerry Z10 were the devices most vulnerable to the attack.
The attack uses the advantage of the M2M interface which carriers use for remote provisioning of a phone at the time of purchase and to push out communication updates. The interface forms part of the phone’s baseband configuration by leveraging the baseband processor: this is the system-on-chip which controls the connection to cellular networks. The baseband chip is able to access memory and local storage used by the operating system of the smartphone, providing access at root level.