Meet Comex, The 19-Year Old iPhone Uber-Hacker Who Keeps Outsmarting Apple
By Andy Greenberg
August 1, 2011
A version of this story will appear in the upcoming issue of Forbes, published later this week.
Nicholas Allegra, better known by the hacker handle Comex.
Nicholas Allegra lives with his parents in Chappaqua, New York. The tall, shaggy-haired and bespectacled 19-year old has been on leave from Brown University since last winter, looking for an internship. And in the meantime, he’s been spending his days on a hobby that periodically sends shockwaves through the computer security world: seeking out cracks in the source code of Apple’s iPhone, a device with more software restrictions than practically any computer on the market, and exploiting them to utterly obliterate its defenses against hackers.
“It feels like editing an English paper,” Allegra says simply, his voice croaking as if he just woke up, though we’re speaking at 9:30 pm. “You just go through and look for errors. I don’t know why I seem to be so effective at it.”
To the public, Allegra has been known only by the hacker handle Comex, and keeps a low profile. (He agreed to speak after Forbes‘ poking around Twitter, Facebook and the Brown Directory revealed his name.) But in what’s becoming almost an annual summer tradition, the pseudonymous hacker has twice released a piece of code called JailBreakMe that allows millions of users to strip away in seconds the ultra-strict security measures Apple has placed on its iPhones and iPads, devices that account for more than half the company’s $100 billion in revenues.
The tool isn’t intended for theft or vandalism: It merely lets users install any application they want on their devices. But jailbreaking, as the practice is called, violates Apple’s obsessive control of its gadgets and demonstrates software holes that could be exploited later by less benevolent hackers.
Apple didn’t respond to requests for comment, but it’s not thrilled about Allegra’s work. When he released JailbreakMe 3 in July, the company rushed to patch the security opening in just nine days. Nonetheless, 1.4 million people used the tool to jailbreak their gadgets in that time, and more than 600,000 more since then. Allegra has become such a thorn in Apple’s side that its stores now block JailbreakMe.com on in-store wifi networks.
“I didn’t think anyone would be able to do what he’s done for years,” says Charlie Miller, a former network exploitation analyst for the National Security Agency who first hacked the iPhone in 2007. “Now it’s been done by some kid we had never even heard of. He’s totally blown me away.”
see photos
Click for full photo gallery: A Brief History of Apple Hacking
To appreciate JailbreakMe’s brilliance, consider how tightly Steve Jobs locks down his devices: Since 2008, Apple has implemented a safeguard called “code-signing” to prevent hackers from running any of their own commands on its mobile operating system. So even after an attacker finds a security bug that gives him access to the system, he can only exploit it by reusing commands that are already in Apple’s software, a process security researcher Dino Dai Zovi has compared to writing a ransom note out of magazine clippings.
After Allegra released JailbreakMe 2 last year, Apple upped its game another notch, randomizing the location of code in memory so that hackers can’t even locate commands to hijack them. That’s like requiring an attacker to assemble a note out of a random magazine he’s never read before, in the dark.
Page 2 of 2
Yet Allegra has managed to find a path around those locks. In JailbreakMe 3, Allegra used a bug in how Apple’s mobile operating system iOS handles PDFs fonts that allows him to both locate and repurpose hidden commands. That critical flaw allowed a series of exploits that not only gains total control of the machine but leaves behind code that jailbreaks it again every time the device reboots – all without ever even crashing the operating system. “I spent a lot of time on the polish,” Allegra says with a hint of pride.
Dino Dai Zovi, co-author of the Mac Hacker’s Handbook, says JailbreakMe’s sophistication is on par with that of Stuxnet, a worm thought to have been designed by the Israeli or U.S. government to infect Iran’s nuclear facilities. He compares Allegra’s skills to the state-sponsored intruders that plague corporations and governments, what the cybersecurity industry calls “advanced-persistent threat” hackers: “He’s probably five years ahead of them,” says Dai Zovi.
Allegra isn’t after profit: his site is free, though it does accept donations. Nor does he criticize Apple for wanting to control what users can install on their devices. He calls himself an Apple “fanboy,” and describes Android’s more open platform as “the enemy.” “I guess it’s just about the challenge, more than anything else,” he says.
The young hacker taught himself to code in the programming language Visual Basic at the age of nine, gleaning tricks from Web forums. “By the time I took a computer science class in high school, I already knew everything,” he says. When he found that he couldn’t save a screenshot from the Nintendo Wii video game Super Smash Brothers to his computer, he spent hours deciphering the file, and later worked on other Wii hacks, getting a feel for its obscure operating system.
“I didn’t come out of the same background as the rest of the security community,” he says. “So to them I seem to have come out of nowhere.”
Allegra argues that his jailbreaking work is legal. The U.S. Copyright Office created an exemption last summer in the Digital Millenium Copyright Act for users to jailbreak their own cell phones, despite’s Apple objections that the ruling could open phones to dastardly hackers and even lead to “catastrophic” attacks that crash cell phone towers.
Whether it’s acceptable to release tools for others to jailbreak their devices, however, has yet to be decided. Three courts have ruled the practice is legal, while another said it could violate the DMCA. In January, Sony used that law and others to sue George Hotz, one of Allegra’s fellow iPhone hackers, for reverse engineering the Playstation 3. The suit was settled, but not before it touched off a wave of retaliatory cyberattacks on Sony by hackers around the world.
Allegra admits that technically, there’s little difference between jailbreaking phones and hacking them for more malicious ends. “It’s scary,” he says. “I use the same phone as everyone else, and it’s totally insecure.”
But at least in the case of JailbreakMe 3, Allegra also created a patch for the PDF vulnerability he exploited, allowing users to cover their tracks so that other hackers couldn’t exploit the same bug. In the period before Apple released an official patch, users who had jailbroken their iPads and iPhones were in some sense more secure than those who hadn’t.
A postscript to Apple: Perhaps your security team could use another intern.