New iOS 26.0.1 Exploit Allows Unauthorized Access to Protected Data
A recently discovered vulnerability in iOS 26.0.1 enables attackers to bypass sandbox restrictions, granting unauthorized access to sensitive data on iPhones and iPads. This exploit leverages weaknesses in the `itunesstored` and `bookassetd` daemons, allowing malicious entities to modify protected files within the device’s Data partition.
Technical Breakdown of the Exploit
Security researcher Kim detailed the exploit in a blog post dated October 20, 2025. The attack begins with a specially crafted `downloads.28.sqlitedb` database that deceives the `itunesstored` daemon into downloading and placing another database, `BLDatabaseManager.sqlite`, into a shared system group container. Although `itunesstored` operates under strict sandbox limitations, the exploit escalates by utilizing the `bookassetd` daemon, responsible for handling iBooks downloads and possessing broader permissions.
Mechanism of Unauthorized Data Modification
By exploiting `bookassetd`, attackers can write to directories typically restricted from unauthorized access. These include:
– `/private/var/mobile/Library/FairPlay/`
– `/private/var/mobile/Media/`
– System caches such as `/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist`
In a demonstration on an iPhone 12 running iOS 16.0.1, Kim successfully modified the MobileGestalt cache to spoof the device as an iPod touch (model iPod9,1), showcasing the exploit’s potential impact.
Steps Involved in the Exploit
The process to execute this exploit involves several steps:
1. Preparation of Malicious Files: Crafting a modified EPUB file, ensuring the `mimetype` file is uncompressed, and hosting necessary assets like `iTunesMetadata.plist` on a server.
2. Injection of Databases: Utilizing tools such as 3uTools or afcclient to inject the malicious databases into `/var/mobile/Media/Downloads/`.
3. Triggering the Exploit: Initiating targeted reboots to prompt the system to process the malicious downloads.
Under normal circumstances, the system should prevent writes to unauthorized paths. However, this vulnerability allows modifications unless the destination is controlled by the root user.
Potential Implications and Risks
The exploit opens up several writable locations, including caches and media directories. This capability could be exploited for:
– Persistence: Maintaining unauthorized access to the device.
– Configuration Tampering: Altering system settings or configurations.
– Data Exfiltration: Extracting sensitive user data without consent.
While the exploit requires physical or tethered access to place the malicious database, once established, it could facilitate more advanced attacks, especially on jailbroken or otherwise compromised devices.
Current Status and Recommendations
As of now, Apple has not issued an official statement regarding this vulnerability. Researcher Kim anticipates that a patch may be released imminently. In the interim, users are advised to:
– Avoid Connecting to Untrusted Devices: Refrain from connecting your iPhone or iPad to unfamiliar computers or charging stations.
– Monitor for Unusual Behavior: Be vigilant for signs of unauthorized access or modifications.
– Keep Software Updated: Regularly check for and install software updates from Apple to ensure the latest security patches are applied.
Kim has provided basic files on GitHub for educational purposes, emphasizing that the research is intended solely for learning and not for any illegal activities.
Conclusion
This proof-of-concept highlights ongoing challenges in maintaining daemon isolation within iOS. As Apple continues to enhance sandboxing measures, this exploit serves as a reminder of the importance of continuous vigilance and prompt software updates to safeguard user data.
