Unfixable iOS Device Exploit Is the Latest Apple Security Upheaval

For the last several years, so-called jailbreaks of iPhones—cracking iOS to let any software run on the device—have been exceedingly rare. When one appeared in August for iOS 12, it was surprising to even the most dedicated Apple hackers. But today a security researcher published an exploit that lays the foundation to jailbreak almost every single iOS device released between 2011 and 2017, including most models of iPad, Apple Watch, iPod Touch, and Apple TV. The implications are staggering.

Security researcher Axi0mX published the exploit, called “checkm8,” Friday on Github. It affects every Apple device with an A5 through A11 chipset, meaning every iPhone model from 4S to X. Though it isn’t an all-in-one jailbreak on its own, the exploit provides an extensive foundation for researchers to build off of in customizing jailbreaks for every vulnerable model of device that would allow them to totally take over the unit, run software far beyond what Apple normally allows, and program apps to interact and share data in ways that Apple’s protections usually preclude.

“It’s a big day,” Axi0mX told WIRED. “The best days for iOS jailbreaking were years ago, when jailbreaks were common, easy to use, and available often. That changed over time and since iOS 9 jailbreaks became less frequent, much less convenient, and not something easily accessible to everyone.”

The jailbreak hinges on flaws in Apple’s “bootrom,” memory in the processor that contains the fundamental code that runs first when a device powers on. Axi0mX found the bootrom vulnerability by reverse-engineering and examining a patch Apple released in summer 2018 for the iOS 12 beta. Since bootrom is foundational to a system, such exploits can be used to create extremely powerful jailbreaks that don’t depend on vulnerabilities specific to a particular iOS version. Even if an older device is running the recently released iOS 13, it’s still affected because the chip inside it is vulnerable. Before today, the most recent known bootrom exploit for an iOS device was for the 2010 iPhone 4.

Apple did not return a request from WIRED for comment.

“Seriously it’s some killer work here,” says Will Strafach, a longtime iOS jailbreaker and founder of the Guardian Firewall app. “You can’t fix this on the old devices, because you are running this from bootrom level. You cannot update bootrom.”

Researchers say that Axi0mX’s release represents a pivotal shift in the iOS security landscape. For the jailbreaking community, which works to tear free of Apple’s restrictive ecosystem in large part to be able to conduct more extensive security analysis, the findings will make it much easier to unshackle a slew of devices. And since researchers will still be able to keep those devices up to date with the latest iOS releases, they will potentially be able both to find and report bugs to Apple more quickly, and protect their test devices from attacks.

Strafach and others also note that these extensive jailbreak capabilities largely eliminate the need for the special research iPhones Apple recently announced. Those devices, which Apple is only giving to select researchers, have fewer protections and restrictions to make it easier to assess iOS security. But the ability to jailbreak recent iPhones running the current iOS will deliver similar insights to many more researchers. In spite of Apple’s recent gestures of goodwill toward the iOS research community, the company continues to resist collaboration. Just last month, Apple sued a company called Corellium for creating a tool that allows customers to prod a virtualized version of iOS.

“This is probably the biggest thing to cross most iOS security researchers’ desks in their entire careers to date,” says Thomas Reed, a Mac and mobile malware research specialist at the security firm Malwarebytes. “If you’re anyone else, it’s horrifying.”

That’s because Axi0mX’s findings also have major implications for iOS device security, if bad actors abuse the publicly available vulnerability. Fortunately, the exploit doesn’t break Apple’s Secure Enclave, which holds the keys to decrypt data already on the device. “You could jailbreak and install anything you want, but couldn’t decrypt existing device data like messages, mail, et cetera,” says Kenn White, a security engineer and director of the Open Crypto Audit Project.

social experiment by Livio Acerbo #greengroundit #wired https://www.wired.com/story/ios-exploit-jailbreak-iphone-ipad