EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.

[Fasterthannothing]

Quote

EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices. Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).

That is absolutely insane! well Apple Fanboys/girls can shove it when saying Apple products are secure. 

Quote

1/ The last iOS device with a public bootrom exploit until today was iPhone 4, which was released in 2010. This is possibly the biggest news in iOS jailbreak community in years. I am releasing my exploit for free for the benefit of iOS jailbreak and security research community.

 

2/ What I am releasing today is not a full jailbreak with Cydia, just an exploit. Researchers and developers can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.

 

3/ Maybe someone can figure out a nice way to use JTAG on iPhone without proprietary hardware and software. I and many others would be forever grateful if someone makes that possible.

 

 

4/ Exploit released today supports s5l8947x, s5l8950x, s5l8955x, s5l8960x, t8002, t8004, t8010, t8011, t8015. Others will be added soon. It is not perfectly reliable yet; it uses a race condition and I only tested it on my MacBook Pro.

 

5/ During iOS 12 betas in summer 2018, Apple patched a critical use-after-free vulnerability in iBoot USB code. This vulnerability can only be triggered over USB and requires physical access. It cannot be exploited remotely. I am sure many researchers have seen that patch.

 

6/ That's how I discovered it. It is likely at least a couple other researchers were able to exploit this vulnerability after discovering the patch. The patch is easy to find, but the vulnerability is not trivial to exploit on most devices.

 

7/ A bootrom exploit for older devices makes iOS better for everyone. Jailbreakers and tweak developers will be able to jailbreak their phones on latest version, and they will not need to stay on older iOS versions waiting for a jailbreak. They will be safer.

 

 

8/ It will also be better for security researchers interested in Apple's Bug Bounty. They will not need to keep vulnerabilities on hand so that they have access they need for their research. More vulnerabilities might get reported to Apple right away.

All I can say is Wow! The possibilities for this exploit are huge! The fact that it works so many iOS devices and is unfixable is crazy. 

 

Source: https://twitter.com/axi0mX/status/1177542201670168576?s=20

[PlayStation 2]

It seems to require physical access to the phone, no?

Doesn't necessarily seem like it could be exploited for evil from another party unless your phone was literally stolen.

[theninja35]

I don't know anything about security, so in simple terms, could someone (other than OP who clearly just wants to trash Apple) explain what this means to me? I mean, reading through the Twitter post, it looks pretty much like all you can do is jailbreak any iOS version and it's irreversible. Someone stealing my phone in the first place is irreversible. 

 

Okay, I looked up some more information. As far as my understanding goes now, you need physical access to the device (Dan mentioned this), but then the device could then supposedly be accessed without the password? I suppose that's a loss of privacy if the police abuse their power or a thief gets his/her hands on your phone, but otherwise, all you have to do is keep your phone within your sight all the time...that's not hard. Most people do that anyway. It's obviously a security flaw, but it doesn't seem as catastrophic as some people are making it out to be. But again, I'm not a security pro.

[lieder1987]

12 minutes ago, Dan Castellaneta said:

It seems to require physical access to the phone, no?

Doesn't necessarily seem like it could be exploited for evil from another party unless your phone was literally stolen.

Yes it does require physical access so its really not an issue for 99.88% of people.

[HarryNyquist]

From what I've read you have to put your device in DFU mode to make this work. It sounds a lot like the Switch exploit that was unpatchable as well.

 

Since physical access is required the risk is minimal and the likelihood that Apple will try to fix it is also minimal.

[Levent]

OH wow, if I am comprehending these all correctly, wouldnt this mean that anyone who has access to someones iphone can pretty much dump everything after they get the keys? This sounds very much like what governments use to get access to peoples phones.

[HarryNyquist]

Just now, Levent said:

OH wow, if I am comprehending these all correctly, wouldnt this mean that anyone who has access to someones iphone can pretty much dump everything after they get the keys? This sounds very much like what governments use to get access to peoples phones.

Just because you can dump it doesn't mean you can decrypt it. It'd be easier to brute-force a passcode than try and decrypt the data dump.

[Levent]

Just now, HarryNyquist said:

Just because you can dump it doesn't mean you can decrypt it. It'd be easier to brute-force a passcode than try and decrypt the data dump.

if you can recover the key from the device it wouldnt be that hard?

[HarryNyquist]

2 minutes ago, Levent said:

if you can recover the key from the device it wouldnt be that hard?

From what I remember, the encryption key is derived from the passcode. It's not stored in that way (and in the cases it is stored, it's not stored in an accessible location). Brute-forcing AES 256 from a data dump is way harder than brute-forcing the passcode in the OS.

[vorticalbox]

44 minutes ago, HarryNyquist said:

From what I've read you have to put your device in DFU mode to make this work. It sounds a lot like the Switch exploit that was unpatchable as well.

 

Since physical access is required the risk is minimal and the likelihood that Apple will try to fix it is also minimal.

Apple  cant fix it, it's a hardware based vulnerability 

[dfsdfgfkjsefoiqzemnd]

48 minutes ago, Dan Castellaneta said:

Doesn't necessarily seem like it could be exploited for evil from another party unless your phone was literally stolen.

It can be exploited whenever you cross the border.  It sure makes it easier for border patrol agencies in the various surveillance states to dump the contents of travellers' iPhones and possibly install spyware onto it. 

 

 

 

33 minutes ago, HarryNyquist said:

Brute-forcing AES 256 from a data dump is way harder than brute-forcing the passcode in the OS.

For regular people that's true.  However government agencies can throw tons of hardware at that problem.  It's probably more convenient for them to brute-force a data dump than it is to get the phone's owner to tell them the passcode.

 

[BigDamn]

For those who don't appear to be understanding (or don't want to understand?), this poses a big threat to security on iPhones. If you lose your phone and someone steals it, iCloud won't help you. This allows a thief to circumvent iCloud and completely reload iOS to use for themselves... or they could install spyware and return the phone to you. Essentially, if someone gets their hands on your phone for even a few minutes your data and privacy could be compromised. There's nothing Apple can do to prevent this now. Major oof.

[Dionyz]

47 minutes ago, BigDamn said:

For those who don't appear to be understanding (or don't want to understand?), this poses a big threat to security on iPhones. If you lose your phone and someone steals it, iCloud won't help you. This allows a thief to circumvent iCloud and completely reload iOS to use for themselves... or they could install spyware and return the phone to you. Essentially, if someone gets their hands on your phone for even a few minutes your data and privacy could be compromised. There's nothing Apple can do to prevent this now. Major oof.

Most criminals wouldn't return a phone. Unless you are a CEO or have access to millions of dollars. 

[RoseLuck462]

Well now that the info is out there, you can bet that Apple will be working on a solution.

[Fasterthannothing]

6 minutes ago, RoseLuck462 said:

Well now that the info is out there, you can bet that Apple will be working on a solution.

It's not fixable hence the words permanent and unpatchable 

[ZacoAttaco]

2 hours ago, Shorty88jr said:

It's not fixable hence the words permanent and unpatchable 

My understanding is the because it’s affecting the lower level ROM, being Read Only Memory is can’t just be patched. I could be wrong here just throwing it out there.

[Trik'Stari]

6 hours ago, theninja35 said:

I don't know anything about security, so in simple terms, could someone (other than OP who clearly just wants to trash Apple) explain what this means to me? I mean, reading through the Twitter post, it looks pretty much like all you can do is jailbreak any iOS version and it's irreversible. Someone stealing my phone in the first place is irreversible. 

 

Okay, I looked up some more information. As far as my understanding goes now, you need physical access to the device (Dan mentioned this), but then the device could then supposedly be accessed without the password? I suppose that's a loss of privacy if the police abuse their power or a thief gets his/her hands on your phone, but otherwise, all you have to do is keep your phone within your sight all the time...that's not hard. Most people do that anyway. It's obviously a security flaw, but it doesn't seem as catastrophic as some people are making it out to be. But again, I'm not a security pro.

Physical access to a device eventually grants all access to a device, with time.

 

The important takeaway here, for me, is that any government agency claiming they can't access a device, despite having physical access and in fact ownership (physical possession) of the device, is completely fucking lying out of their asses.

 

I say this because Way Back When, the FBI claimed they couldn't get into an iPhone and needed to force Apple to make a back door for them. A back door that they factually did not need, and the only reason for such an argument was that they wanted it for devices they did not have physical access to.

 

There is an old saying, Never attribute to malice, that which can be attributed to stupidity. This saying needs to be reversed when government is concerned. ALWAYS attribute government actions to malice instead of stupidity. Assume they want something because they can abuse it.

[RoseLuck462]

3 hours ago, Shorty88jr said:

It's not fixable hence the words permanent and unpatchable 

This is pretty much never 100% though

 

However sometimes it’s just better or cost efficient for the company to improve with the next generation of hardware, hence why this only affects older devices.

[bcredeur97]

I've also read the exploit isn't persistent across reboots

 

which is unfortunate... because in order to do anything with it you'll have to plug phone into your computer and re-do the exploit anytime it reboots or shuts off on you

 

I can't help but wonder if this will allow people to bypass activation lock though... that could get ugly as stealing iPhones would become worth it again

[williamcll]

Hopefully this means that jailbreaking iPhones would be easier again. It's been harder and harder these years as more developers work on android systems instead.

[DrMacintosh]

If you allow someone to have physical access to your devices, you’re basically inviting the potential for attacks. 
 

The users data remains encrypted and the decryption key remains safe. That’s what important. No data is compromised. 

[RedRound2]

11 hours ago, Shorty88jr said:

That is absolutely insane! well Apple Fanboys/girls can shove it when saying Apple products are secure. 

All I can say is Wow! The possibilities for this exploit are huge! The fact that it works so many iOS devices and is unfixable is crazy. 

 

Source: https://twitter.com/axi0mX/status/1177542201670168576?s=20

You seem very ill-knowledged about all this and are making statements and being over excited for the fact the an Apple device had a hardware security flaw.

 

And this requires physical unobstructed access to the device, which itself will wipe out 99% of users going to get affected by this

[Master Disaster]

10 hours ago, RoseLuck462 said:

This is pretty much never 100% though

 

However sometimes it’s just better or cost efficient for the company to improve with the next generation of hardware, hence why this only affects older devices.

Of course it is, this vulnerability affects hardware built into the phone, the only way to fix it is by replacing the affected hardware which would require either resoldering a chip or replacing the entire handset.

[kelvinhall05]

Yeah and the scary part about this is that because it requires physical access to the device, you can't prevent it once your device is stolen afaik

[bcredeur97]

43 minutes ago, kelvinhall05 said:

Yeah and the scary part about this is that because it requires physical access to the device, you can't prevent it once your device is stolen afaik

As i sort of said above, Just reboot your phone after it’s stolen.