Jump to content
To encourage social distancing, you must leave two blank lines at the start and end of every post, and before and after every quote. Failure to comply may result in non-essential parts of the forum closing. Click for more details. ×
Search In
  • More options...
Find results that contain...
Find results in...
Shorty88jr

EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.

Recommended Posts

Posted · Original PosterOP
Quote

EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices. Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).

That is absolutely insane! well Apple Fanboys/girls can shove it when saying Apple products are secure. 

Quote
1/ The last iOS device with a public bootrom exploit until today was iPhone 4, which was released in 2010. This is possibly the biggest news in iOS jailbreak community in years. I am releasing my exploit for free for the benefit of iOS jailbreak and security research community.
 
2/ What I am releasing today is not a full jailbreak with Cydia, just an exploit. Researchers and developers can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.
 
3/ Maybe someone can figure out a nice way to use JTAG on iPhone without proprietary hardware and software. I and many others would be forever grateful if someone makes that possible.
 
 
4/ Exploit released today supports s5l8947x, s5l8950x, s5l8955x, s5l8960x, t8002, t8004, t8010, t8011, t8015. Others will be added soon. It is not perfectly reliable yet; it uses a race condition and I only tested it on my MacBook Pro.
 
5/ During iOS 12 betas in summer 2018, Apple patched a critical use-after-free vulnerability in iBoot USB code. This vulnerability can only be triggered over USB and requires physical access. It cannot be exploited remotely. I am sure many researchers have seen that patch.
 
6/ That's how I discovered it. It is likely at least a couple other researchers were able to exploit this vulnerability after discovering the patch. The patch is easy to find, but the vulnerability is not trivial to exploit on most devices.
 
7/ A bootrom exploit for older devices makes iOS better for everyone. Jailbreakers and tweak developers will be able to jailbreak their phones on latest version, and they will not need to stay on older iOS versions waiting for a jailbreak. They will be safer.
 
 
8/ It will also be better for security researchers interested in Apple's Bug Bounty. They will not need to keep vulnerabilities on hand so that they have access they need for their research. More vulnerabilities might get reported to Apple right away.

All I can say is Wow! The possibilities for this exploit are huge! The fact that it works so many iOS devices and is unfixable is crazy. 

 

Source: https://twitter.com/axi0mX/status/1177542201670168576?s=20

Link to post
Share on other sites

It seems to require physical access to the phone, no?

Doesn't necessarily seem like it could be exploited for evil from another party unless your phone was literally stolen.


Local asshole and VHS collector. Less than avid Team Fortress 2 player.

@handymanshandle x @pinksnowbirdie | Jake x Brendan

 

moo floof enthusiast, pm me moo rabbit pics

Link to post
Share on other sites

I don't know anything about security, so in simple terms, could someone (other than OP who clearly just wants to trash Apple) explain what this means to me? I mean, reading through the Twitter post, it looks pretty much like all you can do is jailbreak any iOS version and it's irreversible. Someone stealing my phone in the first place is irreversible. 

 

Okay, I looked up some more information. As far as my understanding goes now, you need physical access to the device (Dan mentioned this), but then the device could then supposedly be accessed without the password? I suppose that's a loss of privacy if the police abuse their power or a thief gets his/her hands on your phone, but otherwise, all you have to do is keep your phone within your sight all the time...that's not hard. Most people do that anyway. It's obviously a security flaw, but it doesn't seem as catastrophic as some people are making it out to be. But again, I'm not a security pro.


"Everything is useless when you're an idiot." -Me, May 26, 2015

Your friendly neighborhood ninja. 35. And I'm American, too.

 

“I did not pay $400 for my superiority to be ported away to other platforms.”- Jerry "The Douchebag" Winston, on console games going to PC

 

Link to post
Share on other sites
12 minutes ago, Dan Castellaneta said:

It seems to require physical access to the phone, no?

Doesn't necessarily seem like it could be exploited for evil from another party unless your phone was literally stolen.

Yes it does require physical access so its really not an issue for 99.88% of people.

Link to post
Share on other sites

OH wow, if I am comprehending these all correctly, wouldnt this mean that anyone who has access to someones iphone can pretty much dump everything after they get the keys? This sounds very much like what governments use to get access to peoples phones.


y'all need to poop more often.

Link to post
Share on other sites
Just now, Levent said:

OH wow, if I am comprehending these all correctly, wouldnt this mean that anyone who has access to someones iphone can pretty much dump everything after they get the keys? This sounds very much like what governments use to get access to peoples phones.

Just because you can dump it doesn't mean you can decrypt it. It'd be easier to brute-force a passcode than try and decrypt the data dump.

Link to post
Share on other sites
Just now, HarryNyquist said:

Just because you can dump it doesn't mean you can decrypt it. It'd be easier to brute-force a passcode than try and decrypt the data dump.

if you can recover the key from the device it wouldnt be that hard?


y'all need to poop more often.

Link to post
Share on other sites
2 minutes ago, Levent said:

if you can recover the key from the device it wouldnt be that hard?

From what I remember, the encryption key is derived from the passcode. It's not stored in that way (and in the cases it is stored, it's not stored in an accessible location). Brute-forcing AES 256 from a data dump is way harder than brute-forcing the passcode in the OS.

Link to post
Share on other sites
44 minutes ago, HarryNyquist said:

From what I've read you have to put your device in DFU mode to make this work. It sounds a lot like the Switch exploit that was unpatchable as well.

 

Since physical access is required the risk is minimal and the likelihood that Apple will try to fix it is also minimal.

Apple  cant fix it, it's a hardware based vulnerability 


                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites
48 minutes ago, Dan Castellaneta said:

Doesn't necessarily seem like it could be exploited for evil from another party unless your phone was literally stolen.

It can be exploited whenever you cross the border.  It sure makes it easier for border patrol agencies in the various surveillance states to dump the contents of travellers' iPhones and possibly install spyware onto it. 

 

 

 

33 minutes ago, HarryNyquist said:

Brute-forcing AES 256 from a data dump is way harder than brute-forcing the passcode in the OS.

For regular people that's true.  However government agencies can throw tons of hardware at that problem.  It's probably more convenient for them to brute-force a data dump than it is to get the phone's owner to tell them the passcode.

 

Link to post
Share on other sites

For those who don't appear to be understanding (or don't want to understand?), this poses a big threat to security on iPhones. If you lose your phone and someone steals it, iCloud won't help you. This allows a thief to circumvent iCloud and completely reload iOS to use for themselves... or they could install spyware and return the phone to you. Essentially, if someone gets their hands on your phone for even a few minutes your data and privacy could be compromised. There's nothing Apple can do to prevent this now. Major oof.


QUOTE ME IF YOU WANT A REPLY!

 

PC #1

Ryzen 7 1700@3.9ghz | MSI X470 Gaming Pro Carbon | Crucial Ballistix 2x16gb (OC 3466mhz CL: 14)

MSI GTX 1080 8gb | SoundBlaster ZXR | Corsair HX850

Samsung 960 256gb | Samsung 860 1gb | Samsung 850 500gb

HGST 4tb, HGST 2tb | Seagate 2tb | Seagate 2tb

Custom CPU/GPU water loop

 

PC #2

AMD FX 8320@4.5ghz | Biostar TA970 | Vengeance Pro 1866 2x8gb DDR3

Sapphire R9 290x 4gb | Asus Xonar DS | Corsair RM650

Samsung 850 128gb | Intel 240gb | Seagate 2tb

Corsair H80iGT AIO

 

Laptop

Core i7 6700HQ | Samsung 2400mhz 2x8gb DDR4

GTX 1060M 3gb | FiiO E10k DAC

Samsung 950 256gb | HGST 1tb

Link to post
Share on other sites
47 minutes ago, BigDamn said:

For those who don't appear to be understanding (or don't want to understand?), this poses a big threat to security on iPhones. If you lose your phone and someone steals it, iCloud won't help you. This allows a thief to circumvent iCloud and completely reload iOS to use for themselves... or they could install spyware and return the phone to you. Essentially, if someone gets their hands on your phone for even a few minutes your data and privacy could be compromised. There's nothing Apple can do to prevent this now. Major oof.

Most criminals wouldn't return a phone. Unless you are a CEO or have access to millions of dollars. 

Link to post
Share on other sites
Posted · Original PosterOP
6 minutes ago, RoseLuck462 said:

Well now that the info is out there, you can bet that Apple will be working on a solution.

It's not fixable hence the words permanent and unpatchable 

Link to post
Share on other sites
2 hours ago, Shorty88jr said:

It's not fixable hence the words permanent and unpatchable 

My understanding is the because it’s affecting the lower level ROM, being Read Only Memory is can’t just be patched. I could be wrong here just throwing it out there.

Link to post
Share on other sites
6 hours ago, theninja35 said:

I don't know anything about security, so in simple terms, could someone (other than OP who clearly just wants to trash Apple) explain what this means to me? I mean, reading through the Twitter post, it looks pretty much like all you can do is jailbreak any iOS version and it's irreversible. Someone stealing my phone in the first place is irreversible. 

 

Okay, I looked up some more information. As far as my understanding goes now, you need physical access to the device (Dan mentioned this), but then the device could then supposedly be accessed without the password? I suppose that's a loss of privacy if the police abuse their power or a thief gets his/her hands on your phone, but otherwise, all you have to do is keep your phone within your sight all the time...that's not hard. Most people do that anyway. It's obviously a security flaw, but it doesn't seem as catastrophic as some people are making it out to be. But again, I'm not a security pro.

Physical access to a device eventually grants all access to a device, with time.

 

The important takeaway here, for me, is that any government agency claiming they can't access a device, despite having physical access and in fact ownership (physical possession) of the device, is completely fucking lying out of their asses.

 

I say this because Way Back When, the FBI claimed they couldn't get into an iPhone and needed to force Apple to make a back door for them. A back door that they factually did not need, and the only reason for such an argument was that they wanted it for devices they did not have physical access to.

 

There is an old saying, Never attribute to malice, that which can be attributed to stupidity. This saying needs to be reversed when government is concerned. ALWAYS attribute government actions to malice instead of stupidity. Assume they want something because they can abuse it.

Link to post
Share on other sites
3 hours ago, Shorty88jr said:

It's not fixable hence the words permanent and unpatchable 


This is pretty much never 100% though

 

However sometimes it’s just better or cost efficient for the company to improve with the next generation of hardware, hence why this only affects older devices.

Link to post
Share on other sites

I've also read the exploit isn't persistent across reboots

 

which is unfortunate... because in order to do anything with it you'll have to plug phone into your computer and re-do the exploit anytime it reboots or shuts off on you

 

I can't help but wonder if this will allow people to bypass activation lock though... that could get ugly as stealing iPhones would become worth it again


"There is nothing more difficult than fixing something that isn't all the way broken yet." - Author Unknown

"A redline a day keeps depression at bay" - Author Unknown

Spoiler

Intel Core i7-3960X @ 4.4 GHz - Asus P9X79WS/IPMI - 12GB DDR3-1600 quad-channel - EVGA GTX 1080ti SC - Fractal Design Define R5 - 500GB Crucial MX200 and 2 x Seagate ST2000DM006 (in RAID 0 for games!) - The good old Corsair GS700 - Yamakasi Catleap 2703 27" 1440p and ASUS VS239H-P 1080p 23" - NH-D15 - Logitech G710+ - Mionix Naos 7000 - Sennheiser PC350 w/Topping VX-1

 

Avid Miata autocrosser :D

Link to post
Share on other sites

Hopefully this means that jailbreaking iPhones would be easier again. It's been harder and harder these years as more developers work on android systems instead.


Specs: Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

            CPU: Ryzen 7 2700X @ 4.2Ghz          Case: Antec P8     PSU: G.Storm GS850                        Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

            Drives: Samsung 970 EVO plus 250GB, Micron 1100 2TB, Seagate ST4000DM000/1F2168 GPU: EVGA RTX 2080 ti Black edition @ 2Ghz

                                                                                                                             

Link to post
Share on other sites

I can 10/10 recommend used iPhones now


Awareness is key. Never enough, even in the face of futility. Speak the truth as if you may never get to say it again. This world is full of ugly. Change it they say. The only way is to reveal the ugly. To change the truth you must first acknowledge it. Never pretend it isn't there. Never bend the knee.

 

Please quote my post in your reply, so that I will be notified and can respond to it. Thanks.

Link to post
Share on other sites

If you allow someone to have physical access to your devices, you’re basically inviting the potential for attacks. 
 

The users data remains encrypted and the decryption key remains safe. That’s what important. No data is compromised. 


Laptop: 2016 13" nTB MacBook Pro Core i5 | Phone: iPhone 8 Plus 64GB | Wearables: Apple Watch Sport Series 2 | CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 16GB 2666 | GPU: ASRock RX 5700 8GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell 27 Gaming Monitor S2719DGF 1440p @155Hz, Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball
Link to post
Share on other sites
11 hours ago, Shorty88jr said:

That is absolutely insane! well Apple Fanboys/girls can shove it when saying Apple products are secure. 

All I can say is Wow! The possibilities for this exploit are huge! The fact that it works so many iOS devices and is unfixable is crazy. 

 

Source: https://twitter.com/axi0mX/status/1177542201670168576?s=20

You seem very ill-knowledged about all this and are making statements and being over excited for the fact the an Apple device had a hardware security flaw.

 

And this requires physical unobstructed access to the device, which itself will wipe out 99% of users going to get affected by this

Link to post
Share on other sites
10 hours ago, RoseLuck462 said:


This is pretty much never 100% though

 

However sometimes it’s just better or cost efficient for the company to improve with the next generation of hardware, hence why this only affects older devices.

Of course it is, this vulnerability affects hardware built into the phone, the only way to fix it is by replacing the affected hardware which would require either resoldering a chip or replacing the entire handset.


Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Samsung 970 Evo 500GB NVMe | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Windows 10 Pro X64 |

 

Server:-

Raspberry Pi 4 Model B running OMV Arrakis and an 8TB Seagate USB 3.0 external HDD

Link to post
Share on other sites

Yeah and the scary part about this is that because it requires physical access to the device, you can't prevent it once your device is stolen afaik


Quote me to see my reply!

SPECS:

CPU: Xeon X5650 OC'd to 4.4GHz @ 1.36V (courtesy of @XR6) Motherboard: Asus Sabertooth X58 RAM: 4x4GB G.Skill DDR3 1866MHz GPU: Asus RX 570 Strix Storage: WD Blue 1TB and a 128GB Kingston UV400 PSU: EVGA 600B Case: Fractal Design Define C Monitor: Dell G2410T and two Dell P2210 on a Steelcase Eyesite triple monitor stand Mouse: Logitech G403 Prodigy Wireless Keyboard: Northgate Omnikey Ultra Mousepad: Steelseries QcK XL with stitched edge Headset:  Sennheiser HD598SE

 

I like old-ass keyboards, Volvos, Thinkpads, and fountain pens.

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Announcements

  • April fools topics should be posted in Off Topic

×