Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

New checkm8 exploit can jailbreak millions of iOS devices

Share

An independent researcher who goes by the Twitter handle axi0mX has discovered and published an iOS jailbreak exploit that applies to hundreds of millions of devices and cannot be patched.

Named checkm8, the exploit leverages a race condition vulnerability found in the bootrom, a read-only memory chip that contains the first code that initially loads whenever a user starts the system. This code cannot be altered, and so any flaw found within it is effectively permanent.

This makes the exploit an especially powerful and significant tool for researchers or hobbyists who wish to circumvent protections built into iPhones and iPads in order to probe more deeply into their iOS devices, customize them or add programs, or execute code at the bootrom level. Law enforcement investigators and gray-hat companies that sell exploits to various parties could also benefit, wrote Thomas Reed, director of Mac and mobile at Malwarebytes, in a Sept. 27 blog post.

Malicious actors could also potentially add this exploit tool to their arsenal, although there are limitations to what they can do with it. For instance, the exploit cannot be exploited remotely, and in general it only can be executed when a device is connected to a computer and put into Device Firmware Upgrade (DFU) mode (although axi0mX said in a tweet that it "should be possible to make a cable or a dongle that jailbreaks your device without a computer.")

Additionally, threat actors cannot use checkm8 to install any persistent malware because any changes revert back to normal upon device reboot. And they cannot use checkm8 to help attackers bypass Secure Enclave and Touch ID, provided the device in question is equipped with such protections. (Certain older devices may not have these features.) Still, it is theoretically possible that checkm8 could reportedly be chained with other iOS exploit techniques to create more effective attacks.

According to axi0mX, checkm8 affects most generations of iPhones and iPads. In his blog post, Reed listed the currently known impacted devices as:

  • iPhones from the 4s up to the iPhone X
  • iPads from the 2 up to the 7th generation
  • iPad Mini 2 and 3
  • iPad Air 1st and 2nd generation
  • iPad Pro 10.5-inch and 12.9-inch 2nd generation
  • Apple Watch Series 1, Series 2, and Series 3
  • Apple TV 3rd generation and 4k
  • iPod Touch 5th generation to 7th generation

The exploit isn't perfectly reliable yet, and it is not a complete jailbreak tool, although it facilitates the jailbreaking process, axi0mX noted in a series of tweets. "Researchers and developers can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG."

Considering that jailbreaks on modern devices can be hard to come by, axi0mX noted that his exploit is a positive development for security researchers chasing Apple bug bounties. "They will not need to keep vulnerabilities on hand so that they have access they need for their research. More vulnerabilities might get reported to Apple right away," he tweeted.

"Needless to say, jailbreaking is not dead. Not anymore. Not today, not tomorrow, not anytime in the next few years."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.