There’s been a lot of pent up anticipation for the iOS 9.3.3 jailbreak, and Pangu, the Chinese security researchers behind the latest tool, have answered the call.
Unfortunately, it appears that some jailbreakers have had various accounts compromised after jailbreaking, and several users on the popular subreddit r/jailbreak have corroborated these claims.
To be fair, it’s possible that these reported breaches are just a big coincidence, or that a compromise occurred after the tool left Pangu’s hands for distribution. Whatever the reason, however, it highlights one of the potential risks involved with jailbreaking.
The initial tool was released in Chinese and hosted by Chinese company 25PP. The jailbreak was distributed via 25PP’s “PPHelper” tool, although some users were able to directly install the jailbreak without using the helper tool.
From what we can gather thus far, the common thread between most of the jailbreakers who had accounts compromised was that they used the PPHelper tool. It’s entirely possible that this tool, which is installed on Windows machines, contained the malicious code responsible for the unauthorized access.
Multiple users are reporting unauthorized access to one or more of the following:
- PayPal
- Credit and Debit accounts
Most of the fraudulent access is coming from places like Taiwan, Vietnam, Beijing, or other places in China. Some of these reported locations could be operating through proxies.
There could, of course, be additional compromises, but these are the ones that seem to be the most common according to the thread on the r/jailbreak subreddit.
Saurik, Cydia’s creator, chimed in with his thoughts on the matter. He states that he trusts Pangu, the team of hackers responsible for the actual jailbreak tool, but has doubts about potential breaches that could have occurred after the tool left Pangu’s hands for distribution.
Impactor, is of course, Saurik’s tool for signing the English version of the Pangu.ipa file. Impactor was promoted alongside the English release of Pangu, which is likely safe since it doesn’t install any software related to 25PP, and runs on multiple platforms.
That said, even the English version of the the tool is hosted on the 25PP servers, which should lend pause:
The point of all of this is not to scare anyone who decided to jailbreak, but you should absolutely be aware of what you’re dealing with here. If you did jailbreak with the original Chinese version of this tool, I suggest restoring your iOS device via iTunes. I also recommend uninstalling the PPHelper tool if it was used, and running an antivirus scan on your PC. It should go without saying that you should check your PayPal, credit, debit and Facebook accounts for potential breaches.
As I stated during both of our jailbreak tutorials, I recommend using burner Apple IDs when it comes to the signing portion of the jailbreak process. I, for one, have decided not to jailbreak my daily driver device, but that’s a decision that each and every one of you will have to make for yourselves. Despite what some jailbreak-naysayers may claim, jailbreaking doesn’t automatically sign you up to be compromised, but you do need to be aware of potential risks.
At the very least, protect yourself by avoiding tweak installs from unknown sources. More importantly, please, please, please use 2FA for all of the online services that you use. If 2FA isn’t available for an account that you use, I’d seriously consider not using these accounts for anything of a sensitive nature.
Yes, whether people want to agree with it or not, jailbreaking brings with it inherent security risks. If you’re willing to take those risks, there are things that you can do to help mitigate potential issues. In the case of this latest jailbreak, be sure to follow the advice above.
You can also do things like change your root password, avoid shady tweaks from unknown sources, avoid piracy and pirated repos, apps and tweaks.
We’ll have more concerning the security issues related to this jailbreak as we learn more. Does this reported security breach change your stance on jailbreaking at all?
Update: The Pangu team has issued a statement via Twitter with regard to the issue.
It also says that it has registered an official reddit account:
Neither we nor 25pp would be so stupid to make money by hacking users paypal account via jailbreak tool. We hope to find out the truth asap.
— PanguTeam (@PanguTeam) July 31, 2016
In response to the breach, Pangu has posted the following on Reddit:
We register reddit official account at https://t.co/1OsjCHZ5Z1
From my past indirect dealings with Pangu and with using their software over the years, I can say that they definitely seem trustworthy, and I don’t believe for a second that they have placed malicious code in their jailbreak app — either Chinese or English. With that said, there could be other portions of the jailbreak process that has opened up users to potential compromises. If you’re going to jailbreak, the best thing to do is to be safe and use best practices when jailbreaking as mentioned above.
We spent so much time to read the posts here and some users also have account breach issue by using the EN version? We of course talked with 25pp and they totally have no clue about this. We are also checking if their PC tool has some security flaws which may enable hackers to attack from network sniff. But as far as now, we don’t find anything suspicious.
