New Unpatchable iPhone Exploit Allows Jailbreaking

A new iOS exploit allows jailbreaking of pretty much all version of the iPhone. This is a huge deal for Apple, but at least it doesn’t allow someone to remotely hack people’s phones.

Some details:

I wanted to learn how Checkm8 will shape the iPhone experience­—particularly as it relates to security­—so I spoke at length with axi0mX on Friday. Thomas Reed, director of Mac offerings at security firm Malwarebytes, joined me. The takeaways from the long-ranging interview are:

  • Checkm8 requires physical access to the phone. It can’t be remotely executed, even if combined with other exploits.
  • The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.
  • Checkm8 doesn’t bypass the protections offered by the Secure Enclave and Touch ID.
  • All of the above means people will be able to use Checkm8 to install malware only under very limited circumstances. The above also means that Checkm8 is unlikely to make it easier for people who find, steal or confiscate a vulnerable iPhone, but don’t have the unlock PIN, to access the data stored on it.
  • Checkm8 is going to benefit researchers, hobbyists, and hackers by providing a way not seen in almost a decade to access the lowest levels of iDevices.

Also:

“The main people who are likely to benefit from this are security researchers, who are using their own phone in controlled conditions. This process allows them to gain more control over the phone and so improves visibility into research on iOS or other apps on the phone,” Wood says. “For normal users, this is unlikely to have any effect, there are too many extra hurdles currently in place that they would have to get over to do anything significant.”

If a regular person with no prior knowledge of jailbreaking wanted to use this exploit to jailbreak their iPhone, they would find it extremely difficult, simply because Checkm8 just gives you access to the exploit, but not a jailbreak in itself. It’s also a ‘tethered exploit’, meaning that the jailbreak can only be triggered when connected to a computer via USB and will become untethered once the device restarts.

Tags: , , ,

Posted on October 8, 2019 at 5:24 AM16 Comments

Comments

Patriot October 8, 2019 6:10 AM

It’s never going to stop, is it?

My view is that iOS and Android both have no hope of being secured, and everyone should keep that in mind.

Hugo October 8, 2019 7:32 AM

I’m curious how the authors can make the claim that this can’t be patched. Apple (and other SoC vendors) have all sorts of mechanisms – none of which are publicly documented – that might be able to be used to patch a vulnerability like this, or at least reduce the severity (for example, there might be some way of disabling or gating the external USB connector downstream of the SoC). I get that the bug(s) are in the on-chip zeroth-stage bootloader in mask ROM, and thus one some level it’s un-patchable, but if the attack could be patched to an extent that you have to remove the SoC from the phone (for example), that’s practically as good as fixed.

Q October 8, 2019 8:53 AM

OMG! The world is on fire!! I can gain access to my own phone? How awful.

But seriously, it is considered an exploit that a user can gain control of their own device?

How far we have come, to blindly accept that the only people allowed to control our own stuff is some remote organisation.

Oh wait, I see the problem. It isn’t our own stuff, it is their stuff. How silly of me.

Impossibly Stupid October 8, 2019 9:42 AM

@Hugo

I’m curious how the authors can make the claim that this can’t be patched.

Look at it this way: Apple must bake in some way for them to configure the hardware without complete disassembly. To the degree that this replicates that method, it won’t be going away for devices in the wild any time soon. Apple may use different methods for newer hardware, but that basic mechanism to control the device will always be present to be used by those in the know.

@Q

OMG! The world is on fire!! I can gain access to my own phone? How awful.

Pretty much this. I never liked the term “jailbreak”, because it implies the owner of the device is a serious wrongdoer for simply wanting to use their property as they please. If you pop the hood on your car to change the air filter, nobody cries jailbreak (though the dumber segment of the population might call it a “life hack”).

Dave October 8, 2019 10:48 AM

“It’s also a ‘tethered exploit’, meaning that the jailbreak can only be triggered when connected to a computer via USB and will become untethered once the device restarts.”

And will become untethered? Or is untethered just the current status of Wired’a editors?

Spooky Phantom Ghost October 8, 2019 10:54 AM

I’ve been trying to get my family and pals to stop using their phones for banking.

I’ve been using a $30 Amazon 7″ fire tablet for my banking/financial needs for several years now. I use it for nothing else (apart from netflix and amazon prime which have no user comments, so I have a sense of security), and the chipset has no spectre/meltdown issues.

But it’s freakin’ slow.

As a compromise some of them have wisely partitioned their finances into phone/tablet-accessible and not-accessible.

Who? October 8, 2019 1:39 PM

@ Patriot

My view is that iOS and Android both have no hope of being secured, and everyone should keep that in mind.

Yep. However, what would you suggest instead? Blackphones are out of question (unsupported by its manufacturer, run Android, just a limited (but surely unaudited) Play Store, security hype as usual…). Is Blackberry any better? An old non-smart phone instead?

Even worse. The problem is not only the phone itself, the protocols are insecure. Not to say the new 5G standard… or even the radios that connect the phones to the cellular networks.

It is not just a matter of running unsecured devices with no hope for improvement, even a supposedly “secure” device will have no chance if we consider the broken communication protocols and lack of documentation on the radio firmware that runs behind the phone operating system and can probably be managed from the cell towers.

Jonathan Wilson October 8, 2019 3:05 PM

The Librem 5 Phone would seem to be a good option if you are concerned about all the crap Android and iOS do. 100% open source on the user side with a full Linux setup. Cellular radio totally isolated from the main CPU (and presumably not having any ability to interfere with the main CPU, main RAM, main flash storage etc). Hardware level kill switches to disable the cellular baseband, WiFi/Bluetooth and the cameras and microphone. User-replaceable battery. MicroSD slot for storage expansion. Privacy and security focused from the get go with the user having full control and not the manufacturer or the telco.

Jonathan Wilson October 8, 2019 3:07 PM

Oh and if you are concerned about the fact that the cellular network itself is insecure, run a good VPN on top of the Librem 5 phone and that problem mostly goes away (all that the telco network sees is encrypted VPN packets)

Who? October 9, 2019 5:28 AM

@ Jonathan Wilson, Name (required)

Thanks! The Librem 5 is better than most alternatives. I read about this phone months ago, but was not aware its cellular radio is isolated from the phone. Looks like a good choice compared to others.

I agree with Name (required) and will say more, gnome is always bloated. Nothing compares to the old X11 (OpenWindows, MWM, CDE…) these days. But it is ok if the hardware is powerful enough to run it.

Sadly, I will consider buying a smartphone soon (the first one I will own), as my country is now working on a required two-factor authentication for our banks based on cell phones. Of course “two-factor authentication” is a polite way to say “tracking mechanism.” A better authenticator would be our national identification card (some sort of smartcard supported by OpenSC right now), but phones look cool to our banking “security apes.”

Rachel October 9, 2019 1:34 PM

Who?

Sadly, I will consider buying a smartphone soon (the first one I will own), as my country is now working on a required two-factor authentication for our banks based on cell

Nice to see you again. Was sorry you had felt a sense of elitism here keeping you from posting, I questioned this.

Get a cheap dumb phone, and something I am yet to see mentioned here, get a SIM exclusively for this purpose. Keep the SIM for 2FA purposees only and thus ‘private’ , not a number you hand out or use for calls or anything else. Phone is of course switched off when you don’t need it. It’s your ‘authentication device’ with a handy calculator built in.

go a step further and, if it’s legal in your country, register the phone in a family members name

Rachel October 9, 2019 1:37 PM

Who?

if you feel strongly about it, as you appear to, there are alternatives.
you could use an SMS over internet service with a number you purchase from an online provider, if you prefer. Make sure the number fits the banks capacity to process (it may not like the number if its not in a cell number format)

A Nonny Bunny October 12, 2019 2:44 PM

@Impossibly Stupid

Pretty much this. I never liked the term “jailbreak”, because it implies the owner of the device is a serious wrongdoer for simply wanting to use their property as they please.

I guess I have less faith in the justice system. Because to me it implies someone escaping unjust imprisonment by corrupt authority. Perhaps I’ve consumed too many works of fiction where the escapee is the hero.

But what sort of term would you prefer? Slave revolt? Peasant uprising? Storming the Bastille?

Clive Robinson October 12, 2019 5:00 PM

@ A Nonny Bunny, Impossibly Stupid,

But what sort of term would you prefer? Slave revolt? Peasant uprising? Storming the Bastille?

How about,

    Peons passing perfumed palisades

On the assumption not all people know the difference between a “Peon and a Peon” or “palisades and Palisades”…

A Peon can be either “A native Policeman” or “An endetured servant/worker”. As for palisades they can be “Stakes or pails driven into the ground to make an outer boundry around either a castle or prison” whilst Palisades are “A fifteen mile long set of cliffs”. Perm the combination to get the meaning you find most appropriate.

Impossibly Stupid October 13, 2019 9:48 PM

@A Nonny Bunny

I guess I have less faith in the justice system. Because to me it implies someone escaping unjust imprisonment by corrupt authority.

To me it’s not about faith in anything, it’s about calling a spade a spade. Use language that calls out authority that is corrupt rather than try to re-frame the language that normally applies to criminals. You only muddy the waters when you do it your way.

But what sort of term would you prefer? Slave revolt? Peasant uprising? Storming the Bastille?

I see no need for such inaccurate simile at all. Just say what you’re doing: modifying your property. Reclaiming your right to repair things. Bypassing vendor lock-in. Reusing obsolete technology rather than tossing it into the dump.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.