Debunking Rumors: Does the PS4 4.01 Jailbreak rely on vulnerabilities used in iOS 9 Trident/Pegasus exploits?
Growing rumors from (mostly) unverified sources have been claiming that the recently demonstrated PS4 4.01 Jailbreak relies on the same vulnerabilities as the iOS9 Pegasus spyware.
PS4 4.01 Jailbreak – What is known so far
The PS4 4.01 Jailbreak was demonstrated a few weeks ago by Chinese security researchers Chaitin Tech. Recently, Sony released firmware 4.06 which allegedly patches the exploit. Several PS3/PS4 hackers have implicitly confirmed the existence of the vulnerability and the fact that firmware 4.06 patches it.
It is extremely likely that this exploit uses a Webkit vulnerability as its first entry point to get code execution (“usermode”). Besides that, very little is publicly known about this PS4 exploit, but growing rumors state that it might rely on the same vulnerabilities that Apple patched for iOS in August this year.
iOS Trident/Pegasus attack and how it relates to the PS4 4.01 Jailbreak
The iOS exploits, known as “Trident” (or indirectly “pegasus”, the name of the spyware suite installed by the exploits), were allegedly used by governments to attack political dissidents. Pegasus relied on no less than 3 0-day vulnerabilities in iOS, which Apple patched after the attack was revealed to them by security Research lab Lookout inc.
How do the Pegasus exploits relate to the PS4? Many unverified claims that the 4.01 Jailbreak is related to Pegasus started bubbling up recently. It’s difficult to sort hoaxes and unverified claims on social networks from things that can be considered seriously.
Most of the (credible) rumors seem to originate from a tweet by security researcher Kevin Beaumont in September, who stated: “I suspect there’s a possibly they may also work on PlayStation 4 (oddly enough) to escape sandbox, still looking at it.”
@lorenzoFB I suspect there’s a possibly they may also work on PlayStation 4 (oddly enough) to escape sandbox, still looking at it.
— Kevin Beaumont (@GossiTheDog) September 1, 2016
Kevin Beaumont reiterated his belief in October when Chaitin Tech announced their 4.01 Jailbreak. Many of the other connected rumors we found don’t have enough evidence (or level of trust from their source) to be considered serious at this point.
— Kevin Beaumont (@GossiTheDog) October 26, 2016
I contacted Kevin Beaumont who quickly replied to me that he believes the same Webkit exploit can be used to escape the Webkit sandbox, he said:
the iOS exploit included WebKit to kernel, and PS4 runs WebKit in the browser. A similar technique was used prior in much older firmware. At the time of the latest iOS exploit, Sony didn’t patch it.[…] If they can escape the browser into the kernel layer, they have root.
I tend to disagree with Kevin’s statement here, or rather, I don’t see a direct connection between “webkit exploit” and “kernel access”. Looking into details, the Trident exploits include one webkit exploit, which indeed can probably be used on PS4, but does not lead to kernel access, only to execution of arbitrary code within the webkit process. Further privilege escalation is required. The next steps of the iOS exploit rely on iOS specific things to get kernel access. I’m not saying similar things cannot be done on the PS4 (iOS has some parts of FreeBSD after all), but it seems to me that the conclusion takes a few shortcuts. Kevin has confirmed to me he hasn’t done the groundwork yet to confirm his educated guess.
I have contacted a few trusted hackers of the PS4 scene. One of them boldly told me the rumors are not true.
It’s getting clear to me that an educated guess from a (legit) twitter source escalated into a series of rumors that are mostly false. The PS4 4.01 Jailbreak does not appear to be based on the iOS Pegasus exploits.
The following PDF that explains how the Pegasus exploits work has been widely circulating along with the rumors, on various social media and scene websites. It’s an interesting read, whether or not you believe that it is connected to the PS4 recent jailbreak.
As far as I’m concerned, I have no doubt that the jailbreak is real (independently of what exploits are being used). But it’s all about understanding if “something” ever will be released. PS4 1.76, the only firmware known to run jailbreaks, is now out of financial reach from my perspective, so my plan is to buy a PS4 slim as my main gaming rig. and keep my current PS4 on firmware 4.01. Only the future will tell if this is a right move or not.