Apple has accidentally unpatched a vulnerability in iOS 12.4 that it previously fixed, which could make it a bit easier for hackers to target the operating system.
In fact, the inadvertent unpatch has actually lead to the first publicly available jailbreak for up-to-date iPhones in years. But the bug also comes with it own set of security risks, too.
Over the weekend, security researchers discovered that Apple’s latest iOS 12.4 operating system update actually reintroduced a serious bug that the company had fixed in iOS 12.3, Motherboard reported on Monday.
According to iOS-focused security researchers, like Jonathan Levin, that means that all devices currently running iOS 12.4 are jailbreakable. But they could also be vulnerable to malicious attacks as well.
Levin also said that the bug could affect devices running an iOS 11.x or iOS 12.x update, since iOS 12.4 is the only software update that users can upgrade to.
Apple released iOS 12.4 back in late July, but it took until today for the first jailbreak to appear. On Monday, security researcher Pwn20wnd released a public jailbreak that works on all current iPhone devices.
This marks the first that a jailbreak for current versions of iOS has been released in some time. Typically, hackers and security researchers avoid detailing vulnerabilities because Apple will quickly patch them.
“A user apparently tested the jailbreak on iOS 12.4 and found that Apple had accidentally reverted the patch,” Google Project Zero’s Ned Williamson told Motherboard.
While some users purposely jailbreak their phones, it’s important to note that the existence of this vulnerability in up-to-date software also makes your device less secure — even if you don’t plan on jailbreaking it.
An anonymous iPhone security researcher told Motherboard that entities with iOS expertise could now use a Safari bug to “hack any up to date iPhone.”
Of course, even with the availability of the exploit, it’s not easy to hack an iPhone. But the news outlet notes that the “barriers to entry and now much lower.”
Williamson, the Project Zero researcher, said that “somebody could make a perfect spyware” in the wake of the accidental unpatching.
For example, a malicious code could exploit the bug and escape the usual sandbox of iOS to steal user data. Another attack could involve taking advantage of the bug with a malicious webpage and deploying a browser exploit.
And Pwn20wnd, the iOS jailbreaker, said that “it is very likely that someone is already exploiting this bug for bad purposes.”
How to Protect Yourself
It’s recommended that you exercise caution when downloading apps from the App Store going forward, or at least until Apple re-patches the bug in a future version of iOS.
iPhone security experts warn that any malicious app could contain a copy of the iOS 12.4 jailbreak, which it could use for malicious attacks. So make sure the apps you download are ones you can trust.