New unpatchable iPhone exploit could allow for a permanent Jailbreak for millions of devices
A newly discovered iOS exploit named "checkm8", classified as a bootrom vulnerability, could lead to a permanent, unblockable jailbreak on hundreds of millions of iPhones. The exploit is claimed to be a "permanent unpatchable bootrom exploit" oriented towards the iPhone 4s to the iPhone X irrespective of whichever iOS version they are running.
The exploit was discovered by a security researcher who goes by the name @axi0mX on Twitter. According to axi0mX, the exploit could give hackers deep access to iOS devices on a level that Apple would be unable to block or patch out with a future software update. In addition to this, it will give the device permission to downgrade even though Apple stops signing iOS builds. That would make it one of the biggest developments in the iPhone hacking community in years.
Furthermore, axi0mX also shared what he calls "open-source jailbreaking tool for many iOS devices" on GitHub that is meant for researchers and is not a full-fledged jailbreak tool compatible with Cydia. The tool can be used to downgrade to an older version of iOS, but definitive proof of it being done is yet to arrive, and there are still a lot of loose ends.
Here is how axi0mX explains it:
What I am releasing today is not a full jailbreak with Cydia, just an exploit. Researchers and developers can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.
The tool is currently in beta and also comes with the risk of bricking the iPhone on which it is tried.
Ars Technica interviewed axi0mX and the takeaways from the long-ranging interview are:
- Checkm8 requires physical access to the phone. It can't be remotely executed, even if combined with other exploits
- The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.
- Checkm8 doesn't bypass the protections offered by the Secure Enclave and Touch ID.
- All of the above means people will be able to use Checkm8 to install malware only under very limited circumstances. The above also means that Checkm8 is unlikely to make it easier for people who find, steal or confiscate a vulnerable iPhone, but don't have the unlock PIN, to access the data stored on it.
- Checkm8 is going to benefit researchers, hobbyists, and hackers by providing a way not seen in almost a decade to access the lowest levels of iDevices.
In order to perform the jailbreak, one needs physical access to an iPhone and a computer to connect both the devices via a USB cable, as the jailbreak can not be performed remotely. But the person who discovered it mentions that it is possible to create a cable or dongle than can take advantage of the exploit to jailbreak an iPhone without even requiring a computer in the first place.
Moreover, using Checkm8 will not give access to your data or bypass lock screen. It still requires your PIN or Fingerprint to access your device. This is because Apple introduced the Secure Enclave and Touch ID in 2013, that protects your data if you do not have the PIN. In other words, pretty much all current phones, from iPhone 6 to iPhone 8, will require a PIN or Touch ID as there is a Secure Enclave that protects your data.
In addition, the exploit only gives you temporary root permission and will only last till next reboot and any malware installed will not run once the device reboots. The researcher clearly explains that using this vulnerability, on its own, is not going to get you encrypted data or easily installable and persistent malware payloads on the devices this vulnerability affects.
However, it a boon to researchers, who can use the exploit in a reliable way to do important work that was previously impossible to do. It will allow them to analyze apps for signs of abuse. They will be able to better detect malicious websites. They will be able to detect the kind of imperceptible malware that are hard to find before.
It is still very early days for the checkm8 exploit. There is no actual jailbreak yet, meaning that you cannot simply download a tool, crack your device, and start downloading apps and modifications to iOS.
Apple is yet to release a statement regarding the new discovery, but the researcher who discovered it claims checkm8 is "the biggest news in iOS jailbreak community in years".