The iOS from Apple is considered a more secure mobile operating system, if compared to Android. But that doesn't mean it's flawless.
Just like any software in the market, iOS also has vulnerabilities. And this time, a researcher that goes with the name axi0mX revealed on Twitter that all iPhones from 4S to X have a flaw called the 'bootrom exploit'.
What this flaw really does, is allowing people to jailbreak the iPhones.
However, jailbreaking using the bootrom exploit is unlike any previous jailbreaking tools.
Bootrom contains the very first code that's executed when an iPhone is turned on, and is contained in read-only memory inside a chip. Because of this, the flaw cannot be patched by Apple's updates to the device's operating system.
Leveraging this fact, axi0mX created 'ipwndfu Checkm8' (read "checkmate"), a "permanent unpatchable bootrom exploit for hundreds of millions of iOS devices."
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG— axi0mX (@axi0mX) September 27, 2019
What the tool does, according to its GitHub page:
- Allows dumping SecureROM, decrypting keybags for iOS firmware, and demoting device for JTAG.
- Initial SoC support: s5l8947x, s5l8950x, s5l8955x, s5l8960x, t8002, t8004, t8010, t8011, t8015. With more to be added in the future.
- Created for researchers only, and not a jailbreak with Cydia, at least yet.
- Full jailbreak with Cydia on newer iOS version is possible, but requires additional work.
Jailbreaking refers to the process of freeing an iPhone from Apple's closed-system restrictions. For example, users cannot install apps or features that aren't available natively. By jailbreaking, the iPhone can behave more like a rooted Android phone, opening the device to a whole lot of possibilities.
From the advantages of customization, to allowing hobbyists and researchers get valuable insights into what may be peeking under Apple's bonnet, to the disadvantages of a less secured iPhone.
The Check8 tool isn't created for the intentions of hacking iPhones for extracting personal information, or anything similar.
As a matter of fact, the sole reason axi0mX created the tool, and announced it on Twitter, was to share the exploit to those who would want to use it to jailbreak their devices.
What should be noted here is that, the jailbreak using Check8 is only temporary. Meaning that a simple reboot will revert the iPhone to its secure state, as axi0mX explained:
To clarify his intentions, axi0mX told Ars Technica that:
- Checkm8 requires physical access to the phone. It can't be remotely executed, even if combined with other exploits.
- The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.
- Checkm8 doesn't bypass the protections offered by the Secure Enclave and Touch ID.
For the above reasons, people can indeed use Checkm8 to install malware, but only under very limited circumstances. Checkm8 is also unlikely to make it easier for people who find, steal or confiscate a vulnerable iPhone, but don't have the unlock PIN, to access the data stored on it.
Check8 isn't actually axi0mX's first jailbreaking tool.
Previously, he developed another jailbreak-enabling exploit called 'Alloc8', which was released in 2017. It was the first-known iOS bootrom exploit in seven years, and caught many researchers' interest.
However, it only worked on the iPhone 3GS, which was already seven years old by the time Alloc8 went public.