Tuesday 19th September 2017
iOS 9 / iOS 6 Home Screen Comparison Slider
As of writing this post, it is not possible to natively downgrade an iPad Mini First Generation to iOS 6.1.3 without SHSH blobs. The only alternative at the moment is to dual-boot iOS 6 with your current OS.
The iPhone 5, iPad Mini 1st Generation, iPad 4th Generation and iPhone 5c are the only 32 bit devices that did not originally ship with iOS 5 or earlier. This is why the iOS 6.1.3 upgrade is not being signed by Apple for these devices, making it impossible to downgrade to it at the moment unless you have saved SHSH blobs.
The reason that Apple still signs 6.1.3 and 8.1.4 for some 32 bit devices is that it is not possible to upgrade from iOS 5 directly to the latest version. You have to hop to 6.1.3, then 8.1.4 before being able to upgrade to the latest supported version. Note that the iPhone 5c originally shipped with iOS 7, so it is probably impossible for it to ever run iOS 6 natively.
The most recent version of iOS 6 is 6.1.3*, which was released on 19th March 2013. This means that there are currently over 4 years of unpatched security vulnerabilities and a lack of all new iOS security features. I highly recommend reading [PDF] Apple's iOS 10 Security White Paper for more information.
*There were 3 further releases of iOS 6 (6.1.4, 6.1.5 and 6.1.6), however these were not released for all devices. They were device-specific bug fix releases for the iPhone 5 and twice for the iPod Touch 4th Generation respectively. Read more here.
Many of the known security vulnerabilities can be mitigated by simply using the device in a highly defensive manner, such as by only visiting known trusted websites, only connecting to trusted Wi-Fi networks, only using disposable online accounts, not reading email, etc. However, there are also numerous remote code execution vulnerabilities that do not require any user interaction what so ever.
Having an iOS 6 device connected to your Wi-Fi access point is a potential risk to your network and is not recommended.
Below is a list of all of the iOS update security advisories for versions between 6.1.3 and 10.3.3.
Vulnerabilities that allow for remote code execution (RCE) without user interaction, or vulnerabilities that can not be easily defended against are highlighted.
To clarify, vulnerabilities are highlighted if they still affect you even if you use the device in a highly defensive manner as described above.
This list does not include vulnerabilities that require user interaction or for the attacker to be present on your Wi-Fi network.
The iOS version that they are listed under indicates the version at which they were patched, not the version(s) that they affect.
Many of these vulnerabilities may have been introduced in versions after iOS 6.1.3, however it should still give you a general idea of the state of iOS 6 security.
iOS 7 ------ https://support.apple.com/kb/HT5934 iOS 7.0.2 -- https://support.apple.com/kb/HT5957 iOS 7.0.3 -- https://support.apple.com/kb/HT6010 iOS 7.0.4 -- https://support.apple.com/kb/HT6058 iOS 7.0.6 -- https://support.apple.com/kb/HT6147 iOS 7.1 ---- https://support.apple.com/kb/HT6162 iOS 7.1.1 -- https://support.apple.com/kb/HT6208 iOS 7.1.2 -- https://support.apple.com/kb/HT6297 iOS 8 ------ https://support.apple.com/kb/HT6441 ┗━━ CVE-2014-4364 - Credential Theft - An attacker can potentially obtain Wi-Fi credentials by impersonating a trusted access point. iOS 8.1 ---- https://support.apple.com/kb/HT6541 iOS 8.1.1 -- https://support.apple.com/kb/HT204418 iOS 8.1.2 -- https://support.apple.com/kb/HT204422 iOS 8.1.3 -- https://support.apple.com/kb/HT204245 iOS 8.2 ---- https://support.apple.com/kb/HT204423 ┗━━ CVE-2015-1063 - Denial of Service - A malicious Class 0 (Flash) SMS message can cause the device to crash and restart. iOS 8.3 ---- https://support.apple.com/kb/HT204661 iOS 8.4 ---- https://support.apple.com/kb/HT204941 ┗━━ CVE-2015-3728 - Man in the Middle - Devices may auto-associate with an untrusted Wi-Fi access point that is advertising a known SSID, but with a downgraded security type. iOS 8.4.1 -- https://support.apple.com/kb/HT205030 ┗━━ CVE-2015-3778 - Sensitive Information Disclosure - Devices broadcast MAC addresses from previously accessed Wi-Fi networks. iOS 9 ------ https://support.apple.com/kb/HT205212 iOS 9.0.2 -- https://support.apple.com/kb/HT205284 iOS 9.1 ---- https://support.apple.com/kb/HT205370 iOS 9.2 ---- https://support.apple.com/kb/HT205635 iOS 9.2.1 -- https://support.apple.com/kb/HT205732 iOS 9.3 ---- https://support.apple.com/kb/HT206166 iOS 9.3.1 -- https://support.apple.com/kb/HT206225 iOS 9.3.2 -- https://support.apple.com/kb/HT206568 iOS 9.3.3 -- https://support.apple.com/kb/HT206902 iOS 9.3.4 -- https://support.apple.com/kb/HT207026 iOS 9.3.5 -- https://support.apple.com/kb/HT207107 iOS 10 ----- https://support.apple.com/kb/HT207143 iOS 10.0.1 - https://support.apple.com/kb/HT207145 iOS 10.0.2 - https://support.apple.com/kb/HT207199 iOS 10.0.3 - https://support.apple.com/kb/HT207263 iOS 10.1 --- https://support.apple.com/kb/HT207271 iOS 10.1.1 - https://support.apple.com/kb/HT207287 iOS 10.2 --- https://support.apple.com/kb/HT207422 iOS 10.2.1 - https://support.apple.com/kb/HT207482 iOS 10.3 --- https://support.apple.com/kb/HT207617 ┗━━ CVE-2017-2461 - Denial of Service - A malicious SMS message can cause denial of service (resource consumption). iOS 10.3.1 - https://support.apple.com/kb/HT207688 ┗━━ CVE-2017-6975 - Remote Code Execution - An attacker within range may be able to execute arbitrary code on the Broadcom Wi-Fi chip. iOS 10.3.2 - https://support.apple.com/kb/HT207798 iOS 10.3.3 - https://support.apple.com/kb/HT207923 ┣━━ CVE-2017-7063 - Denial of Service - A malicious message possibly delivered by SMS can cause denial of service (memory consumption and application crash). ┗━━ CVE-2017-9417 - Remote Code Execution - An attacker within range may be able to execute arbitrary on the Broadcom Wi-Fi chip (Broadpwn).
When reading through the Apple security advisories, I noticed that there were a lot of vulnerabilities related to UI spoofing/manipulation in Safari, for example CVE-2013-5152 and CVE-2015-5904. This reminds me of the Chrome Punycode URL spoofing bug from April 2017, however in the case of MobileSafari it requires you to visit a malicious website that will then spoof the URL, rather than a non-spoofed URL simply looking like the URL of a legitimate website.
I also wonder how the patch for Broadpwn works. It depends whether the patch actually patches the chip's firmware or is simply an iOS software patch. Perhaps if you upgraded to a version where Broadpwn was patched, but then downgraded back to a version where it is not patched, Broadpwn would still be patched because the change persists in the chip's firmware rather than in iOS itself. That's all just theory, but maybe it's an idea worth putting out there.
Overall, it was definitely an interesting project however due to the security issues with Wi-Fi and that fact that it is not possible to get iOS 6 running natively, I will probably just stick to using iOS 10.3.3 with the low performance. I only use the iPad Mini as a standalone VoIP client anyway, so the low performance in iOS 10 doesn't cause too much of an issue for me.
iOS 11 was released to the public today, and the new iOS 11 security advisory was made available just a few hours ago. I was surprised to see such a small number of patched vulnerabilities. Normally major releases have dozens and dozens of new security patches, whereas iOS 11 has only eight! This could be taken both ways, were fewer vulnerabilities found or are there fewer to find? I guess we'll have to wait and see.
Edit 1st Oct 2017 @ 8:53am: Around a day after the initial release of the new iOS 11 security advisory, Apple updated it with many new vulnerabilities. It still seems to have fewer than the average major release, but my statement about there being "only eight" is definitely not correct anymore.