iOS checkm8 Exploit Promises Unpatchable Jailbreaks With Some Caveats
The mobile tech world, and especially the Apple corner of that world, was flooded by news over the weekend about what could have been Apple's worst nightmare come to life. Just like what happened on the Switch and the Fusée Gelée exploit, a security researcher discovered a similar vulnerability that lay deep in the most inaccessible part of an iPhone's hardware. On paper, this exploit dubbed "checkm8" could offer a permanent way to jailbreak iPhones older than the iPhone Xs. In practice, regular users who want nothing to do with the jailbreaking scene have nothing to worry about unless they hand over their iPhones to an unauthorized person.
Both the Nintendo Switch's Fusée Gelée and this iPhone checkm8 target the bootrom, the unmodifiable code residing in hardware that gets run the first time an iPhone is turned on. Just like the Switch, this can't be patched without actually changing the chip were the code resides. Unlike the Switch, Apple has since released iPhones that do not contain this vulnerability.
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG
— axi0mX@infosec.exchange (@axi0mX) September 27, 2019
Specifically, checkm8 only affects devices running on Apple's A5 chip all the way up to the A11 generation, affecting all devices from the iPhone 4S to the iPhone X. Those using the most recent models need not worry as well as those using iOS' Secure Enclave feature.
axi0mX, who discovered and published the exploit, reminds white hat hackers and security researchers that checkm8 is just an exploit and not a complete jailbreak. That said, it only took him a few seconds to actually jailbreak an iPhone X and have it boot with verbose messages.
HACKED! Verbose booting iPhone X looks pretty cool. Starting in DFU Mode, it took 2 seconds to jailbreak it with checkm8, and then I made it automatically boot from NAND with patches for verbose boot. Latest iOS 13.1.1, and no need to upload any images. Thanks @qwertyoruiopz pic.twitter.com/4fyOx3G7E0
— axi0mX@infosec.exchange (@axi0mX) September 29, 2019
While the exploit may be useful for researchers and those who regularly jailbreak their devices, it is actually less useful for those with less benign intentions. In order to use the exploit, the device has to be physically connected to a Mac via USB, removing the possibility of a remote hack, and has to be redone every time the iPhone reboots. This significantly reduces the chances of ordinary users' iPhones getting compromised unless they lose the device, in which case they might have a bigger problem to worry about anyway.