There’s been a lot of pent up anticipation for the iOS 9.3.3 jailbreak, and Pangu, the Chinese security researchers behind the latest tool, have answered the call.
Unfortunately, it appears that some jailbreakers have had various accounts compromised after jailbreaking, and several users on the popular subreddit r/jailbreak have corroborated these claims.
To be fair, it’s possible that these reported breaches are just a big coincidence, or that a compromise occurred after the tool left Pangu’s hands for distribution. Whatever the reason, however, it highlights one of the potential risks involved with jailbreaking.
Synology RT2600ac: The AirPort Extreme replacement.
The initial tool was released in Chinese and hosted by Chinese company 25PP. The jailbreak was distributed via 25PP’s “PPHelper” tool, although some users were able to directly install the jailbreak without using the helper tool.
From what we can gather thus far, the common thread between most of the jailbreakers who had accounts compromised was that they used the PPHelper tool. It’s entirely possible that this tool, which is installed on Windows machines, contained the malicious code responsible for the unauthorized access.
Multiple users are reporting unauthorized access to one or more of the following:
- Credit and Debit accounts
Most of the fraudulent access is coming from places like Taiwan, Vietnam, Beijing, or other places in China. Some of these reported locations could be operating through proxies.
There could, of course, be additional compromises, but these are the ones that seem to be the most common according to the thread on the r/jailbreak subreddit.
Saurik, Cydia’s creator, chimed in with his thoughts on the matter. He states that he trusts Pangu, the team of hackers responsible for the actual jailbreak tool, but has doubts about potential breaches that could have occurred after the tool left Pangu’s hands for distribution.
I don’t particularly like the concept of installing the 25PP tool, as Chinese companies tend to have software that is pretty intrusive and even “combative” against competitor’s software, and in general I am concerned about the way people do signature stuff which is why I worked so hard to make Impactor be able to do all the signing and communication locally.
Impactor, is of course, Saurik’s tool for signing the English version of the Pangu.ipa file. Impactor was promoted alongside the English release of Pangu, which is likely safe since it doesn’t install any software related to 25PP, and runs on multiple platforms.
That said, even the English version of the the tool is hosted on the 25PP servers, which should lend pause:
I will also say I trust Pangu a lot… but I don’t know if the Chinese version of their app was only touched by them. I bet the English one was their work only, though you are downloading it from 25PP, which opens some issues: do you trust the employees at 25PP with control over their servers?
The point of all of this is not to scare anyone who decided to jailbreak, but you should absolutely be aware of what you’re dealing with here. If you did jailbreak with the original Chinese version of this tool, I suggest restoring your iOS device via iTunes. I also recommend uninstalling the PPHelper tool if it was used, and running an antivirus scan on your PC. It should go without saying that you should check your PayPal, credit, debit and Facebook accounts for potential breaches.
As I stated during both of our jailbreak tutorials, I recommend using burner Apple IDs when it comes to the signing portion of the jailbreak process. I, for one, have decided not to jailbreak my daily driver device, but that’s a decision that each and every one of you will have to make for yourselves. Despite what some jailbreak-naysayers may claim, jailbreaking doesn’t automatically sign you up to be compromised, but you do need to be aware of potential risks.
At the very least, protect yourself by avoiding tweak installs from unknown sources. More importantly, please, please, please use 2FA for all of the online services that you use. If 2FA isn’t available for an account that you use, I’d seriously consider not using these accounts for anything of a sensitive nature.
Yes, whether people want to agree with it or not, jailbreaking brings with it inherent security risks. If you’re willing to take those risks, there are things that you can do to help mitigate potential issues. In the case of this latest jailbreak, be sure to follow the advice above.
You can also do things like change your root password, avoid shady tweaks from unknown sources, avoid piracy and pirated repos, apps and tweaks.
We’ll have more concerning the security issues related to this jailbreak as we learn more. Does this reported security breach change your stance on jailbreaking at all?
Update: The Pangu team has issued a statement via Twitter with regard to the issue.
It also says that it has registered an official reddit account:
In response to the breach, Pangu has posted the following on Reddit:
Hello everyone, this is the 4th jailbreak tool released by our team which means we should have some reputation even though we come from China(And we know most western users don’t trust Chinese software normally). So if any user thinks we are hacking your accounts that makes us feel sad deeply. Also we have not received any report of account breach from Chinese users. So may I ask those who have account breach issues, which version did u use, the CN or EN version? And we noticed that my space and tumblr account data are leaked this year, have u checked that if u are using same account? We want to find the root cause of this asap.
We spent so much time to read the posts here and some users also have account breach issue by using the EN version? We of course talked with 25pp and they totally have no clue about this. We are also checking if their PC tool has some security flaws which may enable hackers to attack from network sniff. But as far as now, we don’t find anything suspicious.
From my past indirect dealings with Pangu and with using their software over the years, I can say that they definitely seem trustworthy, and I don’t believe for a second that they have placed malicious code in their jailbreak app — either Chinese or English. With that said, there could be other portions of the jailbreak process that has opened up users to potential compromises. If you’re going to jailbreak, the best thing to do is to be safe and use best practices when jailbreaking as mentioned above.