EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.

[Blademaster91]

16 hours ago, BigDamn said:

For those who don't appear to be understanding (or don't want to understand?), this poses a big threat to security on iPhones. If you lose your phone and someone steals it, iCloud won't help you. This allows a thief to circumvent iCloud and completely reload iOS to use for themselves... or they could install spyware and return the phone to you. Essentially, if someone gets their hands on your phone for even a few minutes your data and privacy could be compromised. There's nothing Apple can do to prevent this now. Major oof.

Yeah thats the scary part people are missing, if you lose your phone for whatever reason someone can have access to it. Even if Apple could do something about it they wouldn't admit such a threat because it goes completely against their marketing.

[RejZoR]

Quote

That is absolutely insane! well Apple Fanboys/girls can shove it when saying Apple products are secure. 

They needed 9 years to create a functional jailbreak after iPhone 4. I wouldn't exactly go around parading how flawed something is when you need 9 frigging years to achieve it again. And it's most likely that Apple will patch this as well even if everyone is raving it's "unpatchable". Apple makes the damn thing, you can be sure there are methods to eliminate this exploitation...

[NumLock21]

Bash Apple just to make oneself look cool and be accepted into the inner circle. Sad

All devices has flaws, so there is no point of bashing any product, it only makes you look stupid.

[kelvinhall05]

1 hour ago, bcredeur97 said:

As i sort of said above, Just reboot your phone after it’s stolen.

But what if you're like me and don't have data? There's no way to make your phone reset unless the thief somehow unlocks it and connects to wifi, and if they unlock it your even more fucked.

[Blademaster91]

35 minutes ago, RejZoR said:

They needed 9 years to create a functional jailbreak after iPhone 4. I wouldn't exactly go around parading how flawed something is when you need 9 frigging years to achieve it again. And it's most likely that Apple will patch this as well even if everyone is raving it's "unpatchable". Apple makes the damn thing, you can be sure there are methods to eliminate this exploitation...

Apparently this is a hardware flaw, so expecting it to be patched and be secure as before is like expecting the Meltdown and Spectre patch to totally secure an Intel Sandybridge based CPU.

[RejZoR]

17 minutes ago, Blademaster91 said:

Apparently this is a hardware flaw, so expecting it to be patched and be secure as before is like expecting the Meltdown and Spectre patch to totally secure an Intel Sandybridge based CPU.

But they do...

[Suika]

58 minutes ago, RejZoR said:

And it's most likely that Apple will patch this as well even if everyone is raving it's "unpatchable".

I like following security researchers to see the take of people who know a thing or two about these sorts of situations, and to see some of these people suggest that the iOS research landscape has been overturned for years to come from a *forever-day* exploit does not suggest Apple will have a lot of ability in fixing the exploit.

 

It's been a bad year for iOS security.

[Derangel]

53 minutes ago, Suika said:

It's been a bad year for iOS security.

Indeed. Though, I don't really see it as a bad thing. As long as Apple fixes what is able to be fixed it means better security in the future and might mean more people wanting to find (and hopefully report) further exploits.

[DrMacintosh]

4 hours ago, kelvinhall05 said:

Yeah and the scary part about this is that because it requires physical access to the device, you can't prevent it once your device is stolen afaik

Once your device is stolen, your data is already at risk. However no individual, or team of individuals, can defeat the encryption and the decryption key is not accessible to said individuals. It's infinitely easier to bypass the passcode of an iPhone than it is to break it's encryption. 

 

You could still potentially install spyware and give it to someone else and exploit them that way, but if they restore the phone....... ever, that spyware goes away. I've also heard that the exploit can fail to execute from something as simple as a restart. So it doesn't seem especially potent. 

 

tldr: If your device is stolen, your data is safe. 

 

 

 

[SenKa]

Does it classify as news when OP wrote 2 sentences that were either not addressing the article or simply bashing for the sake of bashing?

[Suika]

51 minutes ago, Derangel said:

Indeed. Though, I don't really see it as a bad thing. As long as Apple fixes what is able to be fixed it means better security in the future and might mean more people wanting to find (and hopefully report) further exploits.

It's not inherently a bad thing to bring attention to security issues, but this really does highlight an underlying issue I have with Apple. I know Linus has ranted on it in a different context, but Apple is selling their device on the idea that its magic, and that they don't have security vulnerabilities that people, companies, or even nation-states take advantage of at any moment in time. It's a dangerous idea to have that their devices are inherently more secure than others, especially when Apple has painted such a target on their backs.

[PlayStation 2]

6 minutes ago, SenKa said:

Does it classify as news when OP wrote 2 sentences that were either not addressing the article or simply bashing for the sake of bashing?

Knowing this forum, yes it does.

[SenKa]

Just now, Dan Castellaneta said:

Knowing this forum, yes it does.

Well, I'll put in my best to put my 2 cents in then, make this thread atleast a little constructive.

 

This is pretty big for jailbreaking, but there is something that atleast to me is a little concerning. Even the current "soft" jailbreaks do not work on A12 and A13 devices. What does this mean? Apple knew of this exploit. I am almost 100% certain Apple was just waiting down the clock until somebody found it. The fact that something like this exists doesn't really surprise me, nor does it worry me. As others have said, this requires physical access to the device, and at that point it's GG anyways.\

 

I am a fan of apples products, I use an '08 Mac Pro as my file server, a 2014 Macbook Air for school, and both my personal and work phones are Apple made (XS Max and 5s). I 100% understand why people don't like Apple. I didn't used to like Apple until I used their products more often, but this reddit PCMR group think BS is really tiring for basically everybody involved who isn't blind enough to jive with "haha apple bad tim apple make hot product go boom boom" having never used or even interacted with an Apple product. As a company they are not perfect, no company is, but come on guys.

 

I have 4 or 5 complete part phones that are A11 or older, and 13 5s and 5c motherboards that are all ICL. All I hope of this ROM exploit is that we can find a way to bypass icloud locks again, like you could on older phones.

[DrMacintosh]

29 minutes ago, SenKa said:

Even the current "soft" jailbreaks do not work on A12 and A13 devices. What does this mean? Apple knew of this exploit. I am almost 100% certain Apple was just waiting down the clock until somebody found it.

Or it could mean they weren't aware of it and discovered it on their own. I'll go with the most simple answer and assume that Apple discovered it when designing their most powerful chips. 

[mr moose]

As much as I dislike many of apples practices of late, this doesn't seem to be an all world ending issue that deserves insulting anyone about.  If we consider it to be similar to meltdown then my argument is the same:  Tech is complicated, they did not do it on purpose or because they were lazy, it's nature of the beast, law of averages and just another thing we have to deal with as a tech society hurtling forward at a million units a month.

[ryao]

8 hours ago, kelvinhall05 said:

Yeah and the scary part about this is that because it requires physical access to the device, you can't prevent it once your device is stolen afaik

You can not prevent it when crossing an international border either. The scope of physical access is wider than people would think.

[ryao]

19 hours ago, bcredeur97 said:

I've also read the exploit isn't persistent across reboots

 

which is unfortunate... because in order to do anything with it you'll have to plug phone into your computer and re-do the exploit anytime it reboots or shuts off on you

 

I can't help but wonder if this will allow people to bypass activation lock though... that could get ugly as stealing iPhones would become worth it again

Is there anything that prevents vulnerable files from iOS 12.4 from being put in place of the files from newer versions? While Apple will not sign the 12.4 download anymore, the files themselves should have valid signatures. Maybe downgrades to 12.4 would become possible through this. If just grabbing the few vulnerable files needed to enable an untethered jailbreak turns out to work, then that is another way to go.

[Curious Pineapple]

*popcoin time*

[ZacoAttaco]

There still seems to be some confusion with the limitations and scope of this exploit. This ArsTechnica article contains an interview with the ami0mx, the researcher who discovered this exploit. It's worth a read but here's some key points:

Quote

Dan Goodin (Ars): Can we start with the broad details? Can you describe at a high level what Checkm8 is, or what it is not?

axi0mX: It is an exploit, and that means it can get around the protection that Apple built into the bootrom of most recent iPhones and iPads. It can compromise it so that you can execute any code at the bootrom level that you want. That is something that used to be common years ago, during the days of the first iPhone and iPhone 3G and iPhone 4. There were bootrom exploits [then] so that people could jailbreak their phone through the bootrom and that later would not be possible.

 

Dan Goodin (Ars): When we talk about things that aren't patchable, we're talking about the bug. What about the change to the device itself? Is that permanent, or once the phone is rebooted, does it go back to its original state?

axi0mX: This exploit works only in memory, so it doesn't have anything that persists after reboot. Once you reboot the phone... then your phone is back to an unexploited state. That doesn't mean that you can't do other things because you have full control of the device that would modify things. But the exploit itself does not actually perform any changes. It's all until you reboot the device.

 

Dan Goodin (Ars): In a scenario where either police or a thief obtains a vulnerable phone but doesn't have an unlock PIN, are they going to be helped in any way by this exploit? Does this exploit allow them to access parts of this phone or do things with this phone that they couldn't otherwise do?

axi0mX: The answer is "It depends." Before Apple introduced the Secure Enclave and Touch ID in 2013, you didn't have advanced security protections. So, for example, the [San Bernardino gun man's] phone that was famously unlocked [by the FBI]—the iPhone 5c— that didn't have Secure Enclave. So in that case, this vulnerability would allow you to very quickly get the PIN and get access to all the data. But for pretty much all current phones, from iPhone 6 to iPhone 8, there is a Secure Enclave that protects your data if you don't have the PIN.

https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/

[TriAngular]

It's more than just great news for jailbreaking... This exploit is going to allow unsigned iOS version installation (I'll finally have good battery life on my SE again by downgrading to 12.4.1) or even the installation of other operating systems!

[justpoet]

So, here's an actual security look at the exploit, to hopefully clear up some of the misconceptions here.  While not accurate, I and others may use both checkra1n and checkm8 interchangeably.  Technically, checkm8 is the exploit that was released back in September and checkra1n is the updated automation around it to allow for possible use as a jailbreak.

 

https://www.bleepingcomputer.com/news/apple/checkra1n-ios-jailbreak-gets-public-beta-update-with-fixes/

 

Explanation by me for those not able to decipher the security and exploit language:

This can only be used from a Mac computer (for now), via direct wire connection, often takes multiple attempts as it is relying on a timing attack of how specific versions of iOS's USB interface code interacts with the hardware, and in the end still requires special hardware to make use of the JTAG mode that can eventually be enabled.  With a proper connection, the exploit CAN decrypt the "KEYBAG" (current phone hardware communication encryption that changes often) and DUMP the SecureROM (which has some device specific encryption keys and identifiers…though they're encrypted there still, so that also is not useful on its own).

 

It doesn't:

• Work on the most recent hardware (iPhone 11 lineup), nor various other specific hardware.

• Work remotely.

• Allow access of any user data or decryption of user data or keys.

• Stay persistent without additional patching to force it to do so (the referenced persistence is due to this being a bug existing in hardware as well, not JUST software)

• Run any apps after a reboot without additional noticeable patching.

 

In the non-security crowd, this is mainly of interest to those with really old phones (like the iPhone 5s) who want to try and run newer versions of iOS than they could normally install, unsupported, or those who wish to install non-approved or pirated apps in newer versions of iOS than had been previously jailbroken. In these cases, the end users are doing the additional patching to keep this persistently used and active.

 

Of note:

Quote

checkra1n can be used to jailbreak all iOS devices running up to iOS 12.3 between the iPhone 5s and the iPhone X, with the addendum that this beta version currently does not support iPad Air 2, iPad 5th Gen, and iPad Pro 1st Gen…. [Checkm8] can be used against most generations of iPhones and iPads, from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).

Quote

it should be noted that it cannot be abused remotely and that threat actors who would want to use it would also need physical access to the iOS device.

Quote

jailbroken iOS devices will revert to the stock system if the users reboot them without checkra1n and they will no longer "be able to use any 3rd party software installed until you enter DFU and checkra1n the device again."

 

Also a word of warning:

There have actually been a LOT of search bait and phishing attacks towards getting iOS users to jailbreak (usually without any actual jailbreak, just installing a malicious app).

Quote

If you plan to download and use checkra1n, make sure you avoid similar-looking domains because they are more often than not used in malicious campaigns just as the one spotted by Cisco Talos researchers in October.

 

 

[Bombastinator]

On 9/27/2019 at 3:46 PM, Captain Chaos said:

It can be exploited whenever you cross the border.  It sure makes it easier for border patrol agencies in the various surveillance states to dump the contents of travellers' iPhones and possibly install spyware onto it. 

 

 

 

For regular people that's true.  However government agencies can throw tons of hardware at that problem.  It's probably more convenient for them to brute-force a data dump than it is to get the phone's owner to tell them the passcode.

 

“Probably” is a strong word.  Think of computer cycles as not being infinite and costing money.  Because they do.  How many thousand dollars would it take to do one phone?

[Bombastinator]

The quote contains chip code numbers.  Has anyone converted that into actual devices yet? Which iPhone and Mac models?