Everything has Changed in iOS 14, but Jailbreak is Eternal

Presented at Black Hat USA 2021, Aug. 5, 2021, 1:30 p.m. (40 minutes)

iOS 14.0 was released on Sep 16, 2020, but people got their first real 14.x jailbreak after more than 5 months. In the past, every time Apple released a security update, there would soon be new vulnerabilities, and almost every version would be exploited quickly. Why is iOS 14 so hard to be pwned?

Apple has introduced many new exploit mitigations in iOS 14, such as kernel heap isolation, data PAC, userspace PAC hardening, tfp0 hardening. These mitigations, acting on exploit stage or post-exploit stage, make many vulnerabilities unusable. So, everything has changed in iOS 14. Maybe it is the most secure kernel ever. Now only high-quality vulnerabilities can survive, e.g., CVE-2021-1782, the first public iOS 14 exploitable vulnerability.

Then I published the first stable kernel r/w primitives based on ModernPwner' cicuta_virosa, and achieved SSH with full root shell on iOS 14. (I had achieved this with my own not-fixed 0-day before.) In this talk, I will share how I achieved a "jailbreak” and detail the techniques I used to bypass Apple's new mitigations. I hope my findings can be of some help to security researchers.


Presenters:

  • Zuozhi Fan - Security Researcher, Ant Group
    Zuozhi Fan (@pattern_F_) is a security researcher from Tianqiong Lab, Ant Group. He mainly focuses on macOS/iOS security.

Links:

Similar Presentations: