With the checkra1n iPhone jailbreak now available, security experts are urging mobile-device managers to keep on their toes as the powerful new tool becomes available to hackers and iPhone users who may recklessly use it.
Jailbreaking is the process of hacking these devices to bypass DRM restrictions, allowing users to run unauthorized and custom software, and to make other tweaks to iOS.
The security concerns around checkra1n are multifaceted. One risk factor is users jailbreaking their own iOS devices, making them susceptible to rogue or unstable apps downloaded from outside of Apple’s curated App Store.
For a minority of high-value targets, the concern is that if the target lost temporarily physical control of their phone, an adversary could jailbreak their iPhone and plant malicious software onto the handset.
“Checkra1n is unprecedented in potential impact, with millions of devices at risk as a result of the extensive device and iOS targets,” warned Christopher Cinnamo, senior vice president of product management at Zimperium, in a company blog post.
In this context, a jailbreak is a method to escape Apple’s limitations on what apps and code can run on the iPhone. Jailbreaks are useful for those wanting to install custom code, add features or perform security research outside the purview of the Apple ecosystem.
Who is Vulnerable?
Last Friday, checkra1n was officially released and promoted as an easy way to jailbreak iOS devices. The tool is based on the BootROM exploit called checkm8, released in September by a hacker that goes by the name axi0mX. Checkm8 is billed as a “permanent unpatchable BootROM exploit” for any iOS device running A5 to A11 chips, or iOS versions from iOS 12.3 through the latest version of iOS, 13.2.2.
However, to call the jailbreak “permanent” is a bit of a misnomer.
“The device will be ‘un-jailbroken’ by a reboot,” noted Christoph Hebeisen, head of security research at Lookout.
He noted that while the jailbreak will not survive past a device reboot, an attacker could persist on the device by sideloading an app on it. Once a rogue app is installed on the iOS device the attacker would have a permanent foothold on the handset for further exploitation.
“It is permanent in the sense that the jailbreak will continue working for the life of the device no matter what version of iOS it is running,” Hebeisen added.
That said, for an adversary to jailbreak a target’s phone without their knowledge is an unwieldy process. The prerequisites for a third-party jailbreak is access to an unlocked iPhone, and tethering the device to a macOS computer running the exploit code.
Despite the difficult attack window, Hebeisen believes the checkra1n jailbreak represents a real threat.
“[An attack] can happen with device theft or when a device must be handed over for inspection while crossing international borders. For example, a few months ago it was reported that Chinese border guards put secret surveillance app on tourists’ phones,” Hebeisen stated.
Unfixable Chips
The jailbreak also gains permanence via flaws in the chips that range from A5 (designed by Apple and manufactured by Samsung) through A11 (designed by Apple and manufactured by TSMC). The attack leverages the fact the chips’ BootROM is read-only memory (ROM) that holds startup (or boot-up) instructions for iPhones. Because the memory is read-only, the exploited vulnerability can’t be patched via a security update.
“The checkra1n hack works differently from the typical iPhone jailbreak methods we’ve seen over the years,” wrote Alex Anstett, marketing manager with Wandera, in a company blog post. “While most jailbreaks exploit vulnerabilities in the iOS software, checkra1n is a BootROM exploit that targets a security flaw in the code that runs on iOS devices during boot up, making this jailbreak unpatchable.”
Security firms believe the biggest risk factor is employees that jailbreak their own iOS devices and unwittingly put themselves and the companies they work for at risk.
“[Checkra1n] poses a significant compliance risk to a company as unauthorized modifications to iOS cause that device to fall out of compliance with internal and external parameters,” Lookout’s Hebeisen told Threatpost. “In highly regulated industries such as finance, healthcare and manufacturing, this can damage a company’s reputation and worse, lead to risky compliance violations.”
Post-Jailbreak Protection
Given that the jailbreak can be repeated indefinitely on a single device, it’s recommended that if a user loses physical access to their iOS device, they should reboot the device.
“Organizations should consider putting a standardized policy or process in place for any device that was out of a user’s control for a certain amount of time,” wrote Lookout. “This process should include resetting the device password, cycling multi-factor authentication (MFA) tokens, and/or blocking access to corporate apps and infrastructure for a certain amount of time.”
Mobile security vendors also suggest mobile device management teams use one of the myriad of tools that offer jailbreak detection.
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.