Signature check circumvention allows free tethering without a jailbreak

An interesting security hole has been discovered that allows people to circumvent iOS Carrier.plist file checks by creating, modifying, and restoring a backup file. The example presented iTweakiOS uses the hack to enable tethering without having to go through a carrier.

The iOS Carrier.plist file is responsible for a number of carrier related-settings, including device tethering. iTweaksiOS modified the value of the cellular gateway used for tethering so data could be directed to go through the gateway used for normal device traffic instead.

CommCenter, the iOS service responsible for handling network connectivity, normally performs a signature check on the Carrier.plist to ensure it has not been tampered with. However, modifying it on a backup file and then restoring the modified backup worked to circumvent the check. While it is unclear why it's possible to get around the signature check this way, it seems likely that Apple will fix this with the public release of iOS 7 this fall.

(In case anyone is tempted to try the hack in the meantime, be warned that carriers have been known to start billing users for tethering if they suspect you of tethering illicitly.)

Source: iTweakiOS