A shocking news almost impossible to believe but it is true.
A security researcher nicknamed axi0mX published the news on Twitter: he had discovered a new exploit for iOS that he baptized as como checkm8 ’and that allowed jailbreak of all iPhones from 4S to iPhone X.
Only new models with the Apple A12 or Apple A13 are safe from this vulnerability.
It is special because it acts on the bootrom, a read-only memory that makes it impossible for Apple to do anything to correct the problem in the affected models.
There is no possible patch for checkm8, whose code has already been published on GitHub: we explain how it works and what impact it has on iOS devices.
An uncontrollable exploit
The vulnerabilities that have appeared in recent years on iOS have given rise to the odd scenario in which it was possible to jailbreak some models of the iPhone with specific versions of Apple's mobile operating system.
The normal thing was that shortly after discovering the problem Apple launched an iOS update to patch the system, but that is not possible to try to address the problem posed by checkm8.
It resides in the way of acting of this exploit, that “attacks” the bootrom of iOS, the boot memory of the operating system that is characterized by being read only and is “recorded” in the hardware of the iPhone.
A firmware update cannot act on it, which makes this exploit a “perpetual” problem for Apple, which cannot prevent users from taking advantage of it to jailbreak their devices.
You have to differentiate the exploit itself
Checkm8, of the jailbreak, which at the moment has not been published if someone has developed it.
This vulnerability not only gives access to jailbreak (to, for example, install third-party software not controlled by Apple or its App Store), but to violate the security of the device.
What devices are affected
In reality, not only are iPhone affected by the problem, and as MalwareBytes experts point out, other Apple products that are governed by iOS or iOS-derived operating systems are also at risk.
The list that affects the following products:
They are characterized by not having Apple A12 or A13 chips, which are safe from the problem:
- All iPhone from 4s to iPhone X
- All iPad from the second to the seventh generation
- IPad mini 2 and iPad mini 3
- The first and second generation iPad Air
- The iPad Pro 10.5 and 12.9-inch 2nd generation
- The Apple Watch Series 1, Series 2 and Series 3
- The 3rd generation Apple TV and the 4K model
- The fifth, sixth and seventh generation iPod Touch.
We need physical access
Some jailbreaks had the peculiarity of being able to be done remotely, which was known as 'untethered', but checkm8 does not act that way: it is necessary to have the physical device to connect it to a computer, after which it is also necessary to activate the mode DFU (Device Firmware Upgrade) to take advantage of the exploit.
The developer of this exploit also explained that this vulnerability is not enough by itself to install malware persistently on the device, although ways of gaining that level of access could be discovered indefinitely.
Among other things, the exploit must be executed every time the attacked device restarts.
When doing that operation the memory on which it operates is lost, so it is necessary to apply it again (with the aforementioned physical access, connecting it to a computer and activating DFU mode) if we want to gain access to the privileges to which the exploit gives access.
As axi0mX explained in an interview at Ars Technica, the risk for users is high the older their devices are: Apple introduced and integrated its Secure Enclave and Touch ID in 2013, which allowed for a very high degree of security in the iPhone .
For older models like the iPhone 5 – the same one that was unlocked in the famous case of the FBI and the crimes of San Bernardino – this exploit would have allowed access to all the data.
In the new Apple mobiles with the Secure Enclave that access is totally blocked: it allows the execution of code in the device, but it does not allow to overcome the PIN protection because that part depends on another subsystem in iOS.
What impact can checkm8 have and what can you do if you are affected
What can happen from now on is a “perpetual” version of what happened in 2010 when the famous George Hotz (geohot) discovered an exploit for the iPhone 3GS and the iPhone 4. That exploit was taken advantage of by redsn0w.
Apple would end up patching the problem and increasing security with the introduction of the aforementioned Secure Enclave, a separate processor that managed the encryption keys for user data and significantly increased the security level of the devices.
It does not allow the decryption of that data, but it gives access to privileges that could make it possible to attack that encryption with other additional tools.
Since we are talking about an exploit that cannot be patched, the only thing that users can do to protect themselves is to change the iPhone model to a newer one that has an A12 processor or higher.
If they do, the ideal is then to erase the device data from the iOS configuration menu on their old iPhone.
If the user does not change mobile
It is recommended that you set an alphanumeric password instead of a 6-digit password that is usually more popular.
With the exploit brute force attacks could be made to try to access user data, and therefore a strong alphanumeric password can avoid potential problems.