All Devices From The iPhone 4S to iPhone X are susceptible
This latest iOS exploit has been mentioned to create a permanent, unblock-able jailbreak for hundreds of millions of iPhones across the world.
Given the name “checkm8” by the researcher axi0mx ( @axi0mx on twitter ), this exploit utilizes a bootrom vulnerability that gives direct access to the iOS device to an extent that Apple would be unable to block, patch or remove without a significant software update.
Checkm8 has been toted as one of the biggest iPhone hacking developments in a number of years.
“What I am releasing today is not a full jailbreak with Cydia, just an exploit. Researchers and developers can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.”Reported by axi0mx
This bootrom exploit, like many of it’s type, takes advantage of the boot process of the iOS device and injects it’s code into ROM ( read-only memory ) and as such, cannot be overwritten or patched by Apple’s updates.
The last bootrom exploit that was publicly released for iOS was for the iPhone 4 – nearly 10 years ago from this publication.
Axi0mx responded to their initial report of checkm8 stating
“bootrom exploit for older devices makes iOS better for everyone. Jailbreakers and tweak developers will be able to jailbreak their phones on latest version, and they will not need to stay on older iOS versions waiting for a jailbreak. They will be safer.”
The devices that are all susceptible to this includes any iPhone 4S with the A5 chip up to the iPhone x with A11 chips.
Unlike some of the jailbreaks that are out there – checkm8 has not fully matured into a ‘tool’ that can be downloaded and then applied on the fly. This exploit is more focused on a directly connected method of exploiting the vulnerability.
Using ‘tethering’ – the hacker would connect the device to a computer via a USB cable and would then enable the exploit, each time. While many non-tethered jailbreak exploits started this way, it is unknown if checkm8 will progress to an untethered exploit.
A Github repository was shared with a warning that the Bootrom could brick their device.
“This tool is currently in beta and could potentially brick your device. It will attempt to save a copy of data in NOR to nor-backups folder before flashing new data to NOR, and it will attempt to not overwrite critical data in NOR which your device requires to function. If something goes wrong, hopefully you will be able to restore to latest IPSW in iTunes and bring your device back to life, or use nor-backups to restore NOR to the original state, but I cannot provide any guarantees.”
What does this mean?
It has been speculated that if checkm8 could be used as a first step into the iOS system that anything and everything could be modified, updated or changed at the malicious actors request.
Persistence of the jailbreak it self – preventing Apple from correcting the issues once applied. Dual-booting, loading different OS, adjusting GPS or telemetry aspects just to start.
Additionally the ‘bad guys’ could get around account locks, stolen and lost device protections, capture credentials, use the device as part of a botnet or a myriad of different concerns.
We Do Have Good News Though
It appears that Apple patched the flaw in last year’s A12 processors meaning that more current devices ( XS/XR and 11/11 Pro ) are not affected by this bootrom exploit.
The exploit cannot be enacted on your device ‘over the air’. The hacker must have physical access to your device and have it connected to their computer via USB.
Most of the time people are jailbreaking their phones to install 3rd party apps that are not in the store. Generally – they are not going after any sensitive or personal data.
This exploit is not ‘script kiddie’ or ‘easy’ as this time. It is more than a proof of concept but it is not something that you can just run a quick google search on and get the download kit with instructions.
As always if you have any questions, would like more information or would like to reach out to us please email us at [email protected]