UPDATED: Apple iOS JailBreakMe flaw raises ‘security concerns’

iPhone 4

Security researchers have warned hackers could exploit a vulnerability in the Apple iOS to steal data from iPhones, iPads and iPods.

The flaw has been exploited by the JailBreakMe website to allow users to upload software not approved by Apple onto their devices.

The Cupertino firm has not yet patched the zero day vulnerability, meaning users could potentially have malware downloaded on their Apple phones or tablets, security experts said.

Hacker group Dev-Team released the new jailbreak service this week, allowing users to hack their devices solely by following steps online through the mobile Safari browser.

Security researchers have warned the techniques used by Dev-Team could be modified by hackers to compromise Apple devices for malicious means.

Graham Cluley, senior technology consultant at Sophos, said the processes used by JailBreakMe raised some "important security concerns."

"If visiting the JailBreakMe website with Safari can cause a security vulnerability to run the site's code, just imagine how someone with more nefarious intentions could also abuse the vulnerability to install malicious code on your iPad or iPhone," Cluley said in a blog post.

"If they exploited the same vulnerability in a copy-cat manoeuvre, cybercriminals could create booby-trapped webpages that could - if visited by an unsuspecting iPhone, iPod Touch or iPad owner - run code on visiting devices."

He suggested the JailBreakMe team could have just given hackers a blueprint on how to infect iPads and iPhones.

However, JailBreakMe has not revealed how to actually exploit the vulnerability, meaning it hasn't truly gone public.

The JailBreakMe creators, known as comex, claimed on their website the vulnerabilities they used would eventually make iOS more secure.

"I did not create the vulnerabilities, only discover them. Releasing an exploit demonstrates the flaw, making it easier for others to use it for malice, but they have long been present and exploitable," one of the developers said.

"Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run."

Nevertheless, as reported by the Guardian, the German federal office for information security has deemed the situation serious enough to put out a warning on the "critical weaknesses."

Affected devices include the iPhone 3GS, iPhone 4, iPad, iPad 2 and the iPod Touch running iOS up to version 4.3.3, the German body said on its website. The soon-to-be-released iOS 5 could be affected too, once it is released in the Autumn.

Apple was forced to fix some flaws last year after the JailBreakMe crew used a number of security flaws to allow people to use non-approved apps.

UPDATE: Apple has confirmed it is working on a fix for the vulnerability.

"Apple takes security very seriously, we're aware of this reported issue and developing a fix that will be available to customers in an upcoming software update," a spokesperson said.

The JailBreakMe developers have written their own patch, which is available now, but it will only work for those who have jailbroken their device.

"Along with the jailbreak, I am releasing a patch for the main vulnerability which anyone especially security conscious can install to render themselves immune; due to the nature of iOS, this patch can only be installed on a jailbroken device," comex said.

"Until Apple releases an update, jailbreaking will ironically be the best way to remain secure."

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.