New iPhone bootROM exploit might lead to permanent jailbreak on hundreds of millions of devices
Exploit cannot be patched without a hardware updateBy Cal Jeffrey
Uh oh Apple: Someone discovered an "unpatchable" exploit on iPhones that may allow them to be permanently jailbroken. The vulnerability is at the hardware level, so even updating iOS will not patch the hole. Thus it has been dubbed "checkm8" (checkmate).
A security researcher tweeted the exploit this morning, calling it an "epic jailbreak." However, it is worth mentioning that it is not really a jailbreak. Instead, it is an exploit that is analogous to the salesman's foot in the door. The iPhone hacking community will have to work with it to create an actual working jailbreak.
The reason that the hole cannot be patched is that it uses a weakness in the bootROM. The bootROM is what loads iOS as the device boots. It is an unwritable piece of hardware, so the only way to patch it is to replace it. Apple did precisely this with the A12 chip in newer iPhones.
However, older units all the way from the iPhone 4s (A5 chip) the iPhone X (A11chip) have this bootROM. The iPhone XS and beyond have the A12, so are not affected. Still, this development means that millions, if not hundreds of millions of devices, can be exploited with checkm8.
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.--- axi0mX (@axi0mX) September 27, 2019
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG
The researcher, who goes by the handle axi0mX on Twitter, said that this exploit makes older devices better for everyone.
"Jailbreakers and tweak developers will be able to jailbreak their phones on latest version [sic], and they will not need to stay on older iOS versions waiting for a jailbreak," he tweeted. "They will be safer."
While a jailbreak that is immune to iOS updates would be huge for the iPhone hacking community, the exploit still comes with a few drawbacks.
First of all, it is a "tethered" exploit, meaning that to use it, the iPhone must be connected to a computer via USB. Furthermore, it would also have to be triggered each time the device boots. This drawback greatly diminishes its practicality. That said, creative iPhone tweakers may be able to use checkm8 as a starting point for creating an untethered jailbreak.
Another drawback involves the security of these devices. Hackers could potentially use such a root-level exploit to undermine Apple's iCloud account locks. Even if owners remotely lock their lost or stolen phone, checkm8 may allow someone to bypass the lock. It also could allow malicious parties to install fake versions of iOS to siphon information or spy on the owner.
Apple has not yet commented on the discovery, but it is unclear what it could do to prevent the older phone exploit. Even if it were to recall the devices, which probably wouldn't fly, they would have to refit the hardware. That solution is not only costly but probably is not even possible on phones earlier than the iPhone 8 or X.
We will have to sit back and observe to see where this development leads. Axi0mX has made the files and instructions for the exploit available on GitHub.