Last Friday a security researcher nicknamed axi0mX posted the news on Twitter: he had discovered new exploit for iOS that it baptized as ‘checkm8’ and that it allowed to jailbreak all iPhones from 4S to iPhone X. Only the new models with the Apple A12 or Apple A13 are safe from this vulnerability.
The exploit is special because it acts on the bootrom, a read-only memory that makes it impossible for Apple to do anything to correct the problem on affected models. There is no possible patch for checkm8, whose code has already been published on GitHub: we explain how it works and what impact it has on iOS devices.
An uncontrollable exploit
The vulnerabilities that have appeared in recent years in iOS have led to the odd scenario in the that it was possible to jailbreak on some iPhone models with specific versions of Apple’s mobile operating system.
EPIC JAILBREAK: Introducing checkm8 (read “checkmate”), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG
– axi0mX (@ axi0mX) September 27, 2019
The normal thing was that shortly after discovering the problem Apple launched a iOS update to patch the system, but that is not possible to try to tackle the problem raised by checkm8.
The reason lies in the way this exploit works, which “attacks” the iOS bootrom, the boot memory of the operating system that is characterized by being read-only and it is “recorded” in the hardware of the iPhone.
A firmware update cannot act on it, which causes this exploit become a “perpetual” problem for Apple, which cannot prevent users from taking advantage of it to jailbreak their devices.
You have to differentiate the exploit itself, checkm8, from the jailbreak, which has not yet been published if someone has developed it. This vulnerability not only gives access to jailbreak (to, for example, install third-party software not controlled by Apple or its App Store), but to violate the security of the device.
What devices are affected
Actually it is not only iPhones that are affected by the problem, and as MalwareBytes experts point out, other Apple products that are governed by iOS or iOS derived operating systems are also at risk.
Thus, the list affects the following products, which are characterized by not have A12 or A13 chips from Apple, you are safe from the problem:
- All iPhones from 4s to iPhone X
- All iPads from the second to the seventh generation
- IPad mini 2 and iPad mini 3
- The first and second generation iPad Air
- The 2nd generation 10.5-inch and 12.9-inch iPad Pro
- The Apple Watch Series 1, Series 2 and Series 3
- The 3rd generation Apple TV and the 4K model
- The fifth, sixth and seventh generation iPod Touch.
We need physical access
Some jailbreaks had the peculiarity of being able to perform remotely, which was known as ‘untethered’, but checkm8 does not act that way: you need to have the physical device to connect it to a computer, after which it is also necessary to activate the DFU (Device Firmware Upgrade) mode in order to take advantage of the exploit.
HACKED! Verbose booting iPhone X looks pretty cool. Starting in DFU Mode, it took 2 seconds to jailbreak it with checkm8, and then I made it automatically boot from NAND with patches for verbose boot. Latest iOS 13.1.1, and no need to upload any images. Thanks @qwertyoruiopz pic.twitter.com/4fyOx3G7E0
– axi0mX (@ axi0mX) September 29, 2019
The developer of this exploit also explained that this vulnerability it is not enough on its own to install malware persistently on the device, although ways could be discovered to gain that level of access indefinitely.
That means that among other things the exploit must be executed every time the attacked device reboots. When doing this operation, the memory on which it operates is lost, so it is necessary to apply it again (with the aforementioned physical access, connecting it to a computer and activating DFU mode) if we want to gain access to the privileges to which it gives access. the exploit.
As axi0mX explained in an interview in Ars Technica, the risk for users is high the older their devices are: Apple presented and integrated its Secure Enclave and Touch ID in 2013, which allowed a very high degree of security on iPhones.
However, for older models like iPhone 5c– the same one that was unlocked in the famous case of the FBI and the crimes of San Bernardino – this exploit would have allowed access to all the data.
In the new Apple mobiles with the Secure Enclave, this access is totally blocked: it allows the execution of code on the device, but does not allow to bypass PIN protection because that part depends on another subsystem in iOS.
What impact can checkm8 have and what can you do if you are affected?
What can happen from now on is a “perpetual” version of what happened in 2010 when the famous George Hotz (geohot) discovered an exploit for the iPhone 3GS and the iPhone 4. That exploit was exploited by redsn0w.
Apple would end up patching the problem and increasing security with the introduction of the aforementioned Secure Enclave, a separate processor that managed the encryption keys for user data and that significantly increased the level of security of the devices.
Checkm8 does not allow decryption of this data, but gives access to privileges that could cause with other additional tools you could try to attack that encryption.
Since we are talking about an exploit that cannot be patched, the only thing users can do to protect themselves is change iPhone model to a newer one that has an A12 or higher processor. If they do, the ideal is to then erase the device data from the iOS settings menu on their old iPhones.
If the user does not change mobile, it is recommended that set an alphanumeric password instead of a more popular 6-digit password. With the exploit, brute force attacks could be carried out to try to access user data, and therefore a strong alphanumeric password can avoid potential problems.