dtns

iPhone Bootrom Exploit - ThreatWire CrossPost (Patreon)

Published:

2019-10-01 21:48:28

Imported:

2023-11

Tags:

threatwire

Downloads

Download threatwire--2019-10-01--dtns.mp3

Content

By Shannon Morse, ThreatWire

A security researcher released a very exciting exploit that can work on practically any Apple mobile product from almost the past decade, spanning the iPhone 4S all the way up to iPhone X. The researcher, who goes by the name AxiomX on twitter, posted about the “epic jailbreak” on September 27, dubbing it Checkm8. Checkmate offers up a permanent way to jailbreak an iOS device due to an unpatchable bootrom exploit. Any phones running on the custom apple chipsets from A5 up to A11 are vulnerable (or exploitable, depending on if you’re a fan of jailbreaking). Bootroms refer to read-only memory which holds the boot-up, or start up directions for the device.

The iPhone 4S runs the A5 chipset, while the iPhone X runs an A11 chip. The chipsets can be exploited via Checkm8 to grant the phone owner, or an attacker, full control over the device. As someone who got her hands dirty doing jailbreaks a decade ago, this is exciting news. Jailbreaks allow a device owner to install third-party software, dual boot, and run custom firmware. They can help bug bounty researchers find new vulnerabilities in devices, since they’d have more access to parts of the device needed for research and reporting. It can also open your device up to potential vulnerabilities that Apple has protected consumers from with their restricted operating system. Jailbreaks are still widely used for all sorts of devices: from jailbreaking a Nintendo Classic console to jailbreaking Pelaton bike tablets.

But these are in software. Physical Bootrom jailbreaks are somewhat rare, especially for Apple. They are permanent and can’t be patched, and if you needed to fix a device after a jailbreak, it would require replacing the physical silicon chipset. For this reason, this kind of jailbreak is incredibly intriguing and sought after.

AxiomX’s Checkm8 exploit is available on Github but requires decent technical skill to use. The researcher mentions this cannot be used on A12 and A13 chipsets, which are the newest from Apple. If you’re worried about this being used by attackers, chances are you’re safe since it requires physical access to the phone. An attacker would need to connect to the phone with a USB cable to actually use the exploit to jailbreak it. But for security researchers and the jailbreaking community - this is very exciting. You can check out the github link below in the comments.

P.S. I'm including a link to a tweet I made giving out free tickets for the Texas Cyber Summit, happening Oct 11-13. I'm keynoting at the con too, in case folks are interested in attending!

*** FREE Texas Cyber Summit Ticket! ***

https://www.youtube.com/shannonmorse -- subscribe to my new channel!

ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire