A researcher is warning of an un-patchable bug affecting hundreds of millions of iPhones that gives attackers system-level access to handsets via an unblockable jailbreak hack. Right now, the scope of the attack is limited.
The exploit is dubbed “checkm8” by a security researcher who goes by the alias axi0mX. The attack leverages what is called a bootrom vulnerability. As the name suggests, bootrom refers to read-only memory (ROM) that holds startup (or boot-up) instructions for iPhones. Because the memory is read-only, the exploited vulnerability can’t be patched via a security update.
“The last iOS device with a public bootrom exploit until today was iPhone 4, which was released in 2010,” said axi0mX on Twitter, Friday. “This is possibly the biggest news in iOS jailbreak community in years. I am releasing my exploit for free for the benefit of iOS jailbreak and security research community.”
According to axi0mX, most generations of the iPhone and iPad are vulnerable. They include the iPhone 4S (using the A5 chip) to the iPhone 8 and iPhone X (using the more recent A11 chip). It’s not mentioned whether Apple’s most recent chip families, the A12 and A13, are impacted.
Apple did not respond to a request for comment.
Work in Progress
It’s important to note that axi0mX released the exploit on Github (not the full jailbreak) – meaning that there’s no public jailbreak available yet. A jailbreak is a method to escape Apple’s limitations on what apps and code can run on the iPhone. Jailbreaks are useful for those wanting to install custom code, add features or perform security research outside the purview of the Apple ecosystem. Hackers also leverage jailbreak hacks so they can easily install malware and otherwise control the device.
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG
— axi0mX (@axi0mX) September 27, 2019
Another limit to checkm8 is that the vulnerability can only be exploited locally and cannot be exploited remotely, axi0mX said. An attacker, or someone interested in jailbreaking their iPhone, would require a tethered connection, via USB, to initiate the hack.
The researcher said he discovered the exploit while analyzing a fix (issued a year ago) for a use-after-free vulnerability in iBoot USB. The exploit leverages a race condition and “is not perfectly reliable yet,” said axi0mX.
However, the exploit “would lower the bar for jailbreaking the device significantly, and is particularly concerning because of the fact that it is located in a place where it can’t be fixed without replacing the hardware,” according to Thomas Reed with Malwarebytes in an analysis.
Exploit Release and Jailbreaks
Axi0mX argues that releasing the BootROM exploit “for older devices makes iOS better for everyone.”
“Jailbreakers and tweak developers will be able to jailbreak their phones on latest version, and they will not need to stay on older iOS versions waiting for a jailbreak,” he said. “They will be safer.”
He also said that the exploit will help security researchers interested in Apple’s Bug Bounty program, as it will give them more access to parts of the phone they need for their research. – so more vulnerabilities might get reported to Apple right away.
Some in the security space however worry that the exploit could be used instead by threat actors for malicious purposes, with some taking to Twitter to call the public exploit “irresponsible.”
“I support people’s right to jailbreak their phones,” said Eva Galparin on Twitter. “But I’m also bracing myself for the coming upgrades to the capabilities of iOS spouseware and stalkerware.”
I support people’s right to jailbreak their phones. But I’m also bracing myself for the coming upgrades to the capabilities of iOS spouseware and stalkerware. https://t.co/M4qXDM4CJQ
— Eva (@evacide) September 27, 2019
Reed for his part said that the exploit hasn’t been weaponized yet, as far as anyone is aware.
“Though, of course, it could already be in secret use by criminals, forensics companies like Cellebrite and Grayshift, and surveillance companies like NSO,” he said. “It’s also important to keep in mind that many files on the device will be encrypted. Even if the device is jailbroken, that doesn’t automatically give the attacker access to the contents of those files. Of course, it would still be possible to install malware that could potentially get access to the unencrypted contents of those files in the course of normal usage of the device.”
Researchers have published a slew of exploits opening up jailbreaks in iPhones this year. In January a researcher published what he claims is a proof-of-concept exploit that would allow a remote attacker to jailbreak an iPhoneX, unbeknownst to the user – allowing them to gain access to a victim’s data, processing power and more.
In August, an Apple most update, iOS 12.4, accidentally unpatched a fix that had been issued in a previous update – allowing phones to be jailbroken, for which a public jailbreak was released.
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.