Hacker Releases 'Unpatchable' Jailbreak For All iOS Devices, iPhone 4s to iPhone X

[bnew]

September 27, 2019Mohit Kumar

An iOS hacker and cybersecurity researcher today publicly released what he claimed to be a "permanent unpatchable bootrom exploit," in other words, an epic jailbreak that works on all iOS devices ranging from iPhone 4s (A5 chip) to iPhone 8 and iPhone X (A11 chip).

Dubbed Checkm8, the exploit leverages unpatchable security weaknesses in Apple's Bootrom (SecureROM), the first significant code that runs on an iPhone while booting, which, if exploited, provides greater system-level access.

"EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices," said axi0mX while announcing the publicly release of the exploit on Twitter.


The new exploit came exactly a month after Apple released an emergency patch for another critical jailbreak vulnerability that works on Apple devices including the iPhone XS, XS Max, and XR and the 2019 iPad Mini and iPad Air, running iOS 12.4 and iOS 12.2 or earlier.

Since the bootrom exploits are hardware-level issues and can not be patched without a hardware revision, a simple software update can't address the newly released bootrom exploit.

It should be noted that the Checkm8 exploit itself is not a full jailbreak with Cydia, instead, is just an exploit which researchers and jailbreak community can use to develop a fully working jailbreak tool.



Features the Checkm8 exploit allows include as mentioned below:

• Jailbreak and downgrade iPhone 3GS (new bootrom) with alloc8 untethered bootrom exploit.
• Pwned DFU Mode with steaks4uce exploit for S5L8720 devices.
• Pwned DFU Mode with limera1n exploit for S5L8920/S5L8922 devices.
• Pwned DFU Mode with SHAtter exploit for S5L8930 devices.
• Dump SecureROM on S5L8920/S5L8922/S5L8930 devices.
• Dump NOR on S5L8920 devices.
• Flash NOR on S5L8920 devices.
• Encrypt or decrypt hex data on a connected device in pwned DFU Mode using its GID or UID key.

"This is possibly the biggest news in the iOS jailbreak community in years. I am releasing my exploit for free for the benefit of iOS jailbreak and security research community," says axi0mX, who released the exploit on GitHub.



"Researchers and developers can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG."
axi0mX says he discovered the underlying bootrom vulnerability while analyzing a security patch Apple released in 2018 to address a previously discovered critical use-after-free vulnerability in iBoot USB code.

axi0mX also notes that his exploit can not be performed remotely. Instead, it can only be triggered over USB and requires physical access.

The jailbreak only works on iPhones running Apple's A5 and A11 chipsets and does not work on the latest two chipsets, i.e., A12 and A13.

 

[bnew]

axi0mX/ipwndfu

 

[Phillyrider807]

I already updated to ios13

 

[Spliff]

I already updated to ios13

Gotta save them blobs breh breh

 

[Prodigital]

Yo this is bad news. Hardware level exploit... Don't leave your phone away from you ever again. Everything on your phone can be touched.

Keep in mind if you got the latest iPhone you are safe.

I love the community and all and mainly want jailbreak to tether under the radar, but this shyt right here is spooky.

 

[screwface]

Haven't used a jailbroken iphone in years, but does apple pay still work with a jailbroken phone?

 

[bnew]

New iOS exploit checkm8 allows permanent compromise of iPhones - Malwarebytes Labs

This morning, an iOS researcher with the Twitter handle @axi0mX announced the release of a new iOS exploit named checkm8 that promises to have serious consequences for iPhone and iPad hardware. According to the Tweet, this exploit is a “permanent unpatchable bootrom exploit,” capable of affecting devices from 4S up to the iPhone X.

But what, exactly, does this mean? First, let’s explain what bootrom is. A bootrom is a read-only memory chip containing the very first code to load when a system starts up. Since bootrom code is the core of the device’s startup process, and it shouldn’t be possible to change it, finding a bug in that code is the Holy Grail of hacking.

According to @axi0mX, such a bug exists, and the code needed to exploit it is now freely available on GitHub.

This exploit is not a jailbreak, which would provide the capabilities to install arbitrary software, get root permissions, and escape the sandbox. However, it would lower the bar for jailbreaking the device significantly, and is particularly concerning because of the fact that it is located in a place where it can’t be fixed without replacing the hardware.

If you’re an iOS security researcher, this will likely be the most exciting thing you’ll hear all year—possibly even for your entire career to-date. However, I foresee a lot of fear, uncertainty, and doubt among most other people reading this news. So, what’s the real-world impact of this release?

Devices affected
The devices that are vulnerable to checkm8 include the following:

• iPhones from the 4s up to the iPhone X
• iPads from the 2 up to the 7th generation
• iPad Mini 2 and 3
• iPad Air 1st and 2nd generation
• iPad Pro 10.5-inch and 12.9-inch 2nd generation
• Apple Watch Series 1, Series 2, and Series 3
• Apple TV 3rd generation and 4k
• iPod Touch 5th generation to 7th generation

This is probably not an exhaustive list, and as @axiOmX mentions, more will be added.

However, the version of iOS/iPadOS/watchOS/tvOS should not matter at all, as Apple will not be able to patch this in software updates. Only purchasing a whole new, updated device would fix the problem. Apple’s A12 and later chips, used in newer devices (iPhone Xs, iPhone XR, iPhone 11 series, 3rd generation iPad Pros) are not vulnerable.

Implications
Although checkm8 will work even on a locked device, it’s important to understand that checkm8 is not a remote exploit. To compromise your iPhone, an attacker would need to have it in his hands physically. The device would need to be connected to a computer and put into DFU (Device Firmware Upgrade) mode in order to exploit it.

The checkm8 vulnerability itself is not sufficient to install persistent malware on a device. However, it could potentially be chained together with other vulnerabilities in iOS to gain that level of access.

This exploit hasn’t been weaponized yet, as far as anyone is aware. Though, of course, it could already be in secret use by criminals, forensics companies like Cellebrite and Grayshift, and surveillance companies like NSO.

It’s also important to keep in mind that many files on the device will be encrypted. Even if the device is jailbroken, that doesn’t automatically give the attacker access to the contents of those files. Of course, it would still be possible to install malware that could potentially get access to the unencrypted contents of those files in the course of normal usage of the device.

Finally, if you’re lucky enough to have the latest hardware, you’re safe from checkm8. Apple’s king takes the exploit rook for the win.

Possible applications
Besides the obvious threat of criminal activity, there are actually some beneficial possible uses of checkm8.

For security researchers, this is a huge boon, which should help them analyze any version of iOS that will run on an iPhone X or older. Since iOS research really can’t be done on a device that hasn’t had security restrictions lifted somehow, this will likely become one of the most important tools in researchers’ toolkits. This can benefit iOS users, as it can enable researchers to locate issues and report them to Apple.

For law enforcement, and the companies that help them unlock iPhones, this is huge. (Assuming, of course, that companies like Grayshift and Cellebrite weren’t already aware of this vulnerability.) The checkm8 exploit would need to be chained together with other vulnerabilities to be useful, but would be attractive as a link in the chain since it cannot be patched by Apple.

There’s debate as to how beneficial this is for users, though. On the one hand, we want law enforcement to do their jobs. On the other hand, law enforcement abuses are a problem, especially for disadvantaged minorities. Using this exploit as leverage for surveillance or other abuses of privacy rights could leave users with few options to fight back.

The reputation of iOS
Following on the heels of the report from Google Project Zero on China’s recent use of 14 different vulnerabilities to infect iPhones owned by Uyghurs with malware, this adds to the tarnish on iOS’ reputation for security. iOS has long been known as the most secure mainstream mobile system on the planet. However, these incidents lead to hard questions about whether that’s still the case.

Of course, Android devices are no strangers to these problems, either. In fact, if you search the Internet for “flash bootrom,” you’ll come up with lots of instructions on how to actually change the bootrom for various Android devices.

Still, this is a serious problem. If used in the wild, it will be difficult to determine whether a device has been compromised, due to the extremely closed nature of iOS. As with the Project Zero findings from last month, this is yet another reason that Apple needs to provide more visibility into the status of iOS. Even just being able to inspect the list of running processes without jailbreaking would be a move in the right direction.

Checkmate for iOS?
Make no mistake, this is a serious issue for Apple and iOS security. What’s important to note here is that, so far, checkm8 only represents potential danger. After the initial flurry dies down, it’s possible we may never hear of anything malicious being done with checkm8.

It’s also highly likely that this will be used for positive ends, by security researchers who want to better understand iOS and help to make it more secure.

I don’t see checkm8 as something that should drive people away from iOS. Personally, as much as a permanent vulnerability in my phone’s bootrom concerns me, I’ll continue using my iPhone X until I have a bigger reason to upgrade. Perhaps that reason will be new developments in the checkm8 story; or perhaps it will be the inevitable failure of the battery a few years from now. Only time will tell.

 

[PikaDaDon]