Meet unc0ver, the new jailbreak that pops shell—and much more—on any iPhone
Tool released over the weekend makes it a snap to remove restrictions built into iOS.
by Dan GoodinHackers have released a new jailbreak that any user can employ to gain root access on any iPhone, regardless of the hardware as long as it runs iOS 11 or later.
Dubbed unc0ver, the exploit works only when someone has physical access to an unlocked device and connects it to a computer. Those requirements mean that the jailbreak is unlikely to be used in most malicious scenarios, such as through malware that surreptitiously gains unfettered system rights to an iPhone or iPad. The inability for unc0ver to survive a reboot also makes it less likely it will be used in hostile situations.
Rather, unc0ver is more of a tool that allows users to break locks Apple developers put in place to limit key capabilities such as what apps can be installed, the monitoring of OS functions, and various other tweaks that are standard on most other OSes. The jailbreak, for instance, allows users to gain a UNIX shell that has root privileges to the iPhone. From there, users can use UNIX commands to do whatever they’d like.
“That’s the strongest appeal to me from a developer and researcher perspective,” said Will Strafach, a jailbreaking expert and the founder of the company that develops the Guardian Firewall and VPN for iOS. “Others will have different answers as well I am sure, such as theming and use of disallowed apps like Terminal/emulators/etc.”
There are several ways to run the jailbreak. One of the easiest is to install AltStore on a Mac or PC (the Windows version is still in beta). The app offers an alternative to the Apple-sanctioned App Store. From there, users follow a series of steps to use AltStore to download, sign, and—after connecting to the device with a Lightning cable—cause the device to run the unc0ver binary file. Other methods involve installing the jailbreak using the iOS development environment Xcode or by making use of Cydia Impactor, a GUI for working with mobile devices. Unc0ver developers provide step-by-step instructions for all methods here.
The release of unc0ver comes eight months after the debut of Checkm8, a jailbreak that exploits an unpatchable flaw in the iOS bootloader. Checkm8 also requires users to have physical access to an unlocked phone. The jailbreak works only on 12 generations of iPhones, from the 4S to the X, but because it targets the physical bootloader the exploit will work in perpetuity on those devices.
Unc0ver, by contrast, works on any device running any version of iOS released since September 2017 or later. The flaw the new jailbreak exploits is located in the OS kernel. That means that unc0ver is less capable then Checkm8 is of disabling or bypassing certain iOS restrictions and security mechanisms. For example: the unc0ver provides no access to JTAG, an interface for debugging and emulating processors.
Like most jailbreaks, the biggest risk from unc0ver is that less experienced users will use their unfettered access to disable important settings or do other unwise things. There’s also the possibility of data loss. The team that discovered the zero-day iOS vulnerability and the code that exploits it is also known as unc0ver. The group has an established track record of developing well-functioning apps. Among the assurances members made in this weekend's announcement are:
- No Extra security vulnerabilities
- No hit to stability or battery life
- Compatible with iCloud, iMessage, FaceTime, Apple Pay, and most other Apple services
- Allows installation of future iOS updates (though presumably not one that breaks unc0ver)
Apple will inevitably patch the vulnerability relatively quickly. People who want to try out unc0ver have a limited amount of time to act.