The battle of Cupertino: Jailbreakers do it for freedom, not cash

Shanghai's Pangu Team explain how they work to loosen Apple's iron grip

Ruxcon A team of seven Chinese hackers are forgoing big bucks and instead pursuing their effort to open Apple to the security research field and thereby allow users to modify their devices.

The group of brilliant independent security boffins known as Pangu Team are among the top researchers in the iDevice jailbreaking scene, where they battle with Apple's security teams to find ways to hack the hugely-popular and increasingly tough nut that is iOS.

The hackers could easily sell the iOS exploits that make jailbreaking possible to eager buyers and brokers for huge amounts of cash. Instead the core team of four researchers, who operate from Shanghai apartments, are burning their exploits to help users all over the world install applications that Apple has not sanctioned, to access otherwise cordoned-off tweaks and tap into an entire App Store that is unavailable to unmodified iDevices.

"We really want the Apple end users to fully control their device for free … to be able to really control the device, not just 'occupy' it," Pangu Team's Tielei Wang told Vulture South at the Ruxcon conference in Melbourne last Saturday.

"If you sell zero days, the buyers will use it for some unknown private use.

"Secondly iOS is a closed-system and without a jailbreak you are not able to do any advanced security study … and we want to be able to promote iOS research."

Some of the prominent jailbreaking players at DEF CON, by Dreamyshade, 2011

Some of the prominent jailbreaking players at DEF CON. Image: Dreamyshade, 2011.

Jailbreaking is a complex tit-for-tat game that requires the discovery of new vulnerabilities within iOS that can be exploited to allow users to break Cupertino's iron security grip it holds on iPhones and iPads.

Apple does not approve of jailbreaks and will often plug those hard-won vulnerabilities when it releases updates for iOS. Users wanting both the newest iOS features and their modifications have to wait for the likes of Pangu Team to find another way to break the latest update.

Others play the jailbreaking game. Esser is among the notable, along with Nicholas Allegra, Chronic Dev Team, evad3rs, TaiG team and more.

"I'm working on code signing, Tielei's working on kernel -- everyone has something different and we combined our work together," Pangu Team member Chen XiaoBo says.

The boffins released their first jailbreak in June last year using a vulnerability discovered by respected Apple hacker Stefan Esser which pried open iOS 7.1. They followed that in October with a jailbreak for iOS 8.

Last week they dropped a much-awaited jailbreak for iOS 9.

Somewhere between this unpaid mission to best Cupertino's finest the crew run a mobile security startup consultancy out of China's capital.

They are not Apple die hards, however. Wang and XiaoBo say they like Google's Android operating system saying it is catching up to the quality of iOS, and plan to begin working on developing exploits for that platform.

"We are planning some work on Android in the future," Wang says. "The whole software stack, from the lowest level to the highest."

The group will continue their iOS jailbreaking work. The next challenge is the iOS 9.1 update that rendered their newest hard-earned jailbreak ineffective. ®

Similar topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022