Checkm8, as the exploit was called, is compatible with all iPhone models from 4s to X inclusive and can not be patched in any way – writes the security researcher with the nickname axi0mx. The specialist has published a tool that supposedly allows access to the lowest layers of a significant part of iOS devices, including cyberattack or jailbreak.
The vulnerability that axi0mx found is a hardware vulnerability. Applies to chips A5 to A11. In these systems, so-called gambling phenomena, which should be understood as non-zero propagation time. When the logical state changes, errors appear that allow the attack to be carried out in the side channel. The effect is that the bootrom is open, and as the processor is to blame, the error cannot – as the researcher declares – be patched with any update.
According to the expert, you can do anything with a broken device. From uploading unauthorized software, through decryption of lock and security keys, to JTAG plug-in. The condition is one: The attacker must have physical access to the equipment, because the starting point of the whole process is to use a crafted USB flash drive.
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG
– axi0mX (@ axi0mX) September 27, 2019
According to reports, the specialist came across a vulnerability by examining one of the beta versions of iOS 12 and patches placed in it, which, however, are not able to deal with the described exploit.
Intelligence agents could use the vulnerability
Interestingly, he also supposes that he is not the first to discover the error. Only before did anyone want to make it public. Commenting on Twitter, it implies that intelligence agencies and companies such as GrayShift, which offer data extraction from blocked iPhones, could have previously used the vulnerability. However, it does not provide any evidence, so it is advisable to keep a little distance when approaching these revelations.
The exploit itself is not very useful at the moment, at least not for the ordinary user. The author leaves a free hand to other crackers, who are encouraged, among others to create a jailbreak. However, with unrestricted access to the bootrom it is only a matter of time.