Recently, Apple fixed a vulnerability with the release of iOS 12.4.1 that allowed for users to jailbreak their iPhones. The vulnerability in iOS 12.4 required urgent attention since it allowed an adversary to also create spyware by exploiting the bug. While Apple managed to fix that bug, once again, a researcher has come out with an even more robust iOS jailbreak named Checkm8.
Checkm8 iOS Jailbreak Seems Permanent
A security researcher with the alias Axi0mX on Twitter has devised a robust iOS jailbreak that he dubs ‘Checkm8’. According to the researcher, Checkm8 can work for a wide range of iPhones including the latest ones.
Sharing details about the jailbreak in a tweet, the researcher revealed that Checkm8 works by serious Bootrom vulnerability. The flaw affects most iPhones and iPads from iPhone 4S to iPhone X (A5 to A11 chips).
Explaining further about the jailbreak in his tweet, Axi0mX stated,
2/ What I am releasing today is not a full jailbreak with Cydia, just an exploit. Researchers and developers can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.
— ax??mX (@axi0mX) September 27, 2019
This exploit and the subsequent jailbreak appear ‘permanently unpatchable’ as it affects the hardware. Thus, fixing the Bootrom flaw would not be so easy without a mass recall of vulnerable devices.
Elaborating on his findings, the researcher said that the flaw basically exists in the implementation of heap itself. As explained,
In S5L8920 bootrom (and some very old versions of iBoot) function malloc is not implemented correctly. When it is unable to allocate memory, instead of NULL it returns a pointer to memory address 0x8. Callers check if returned pointer is NULL and then treat that pointer as valid.
More details about the exploit are available in his write-up.
Publicly Available On GitHub
The researcher has made Checkm8 publicly available on GitHub in an attempt to facilitate the researchers’ community. He believes that the ability to jailbreak new devices will make it easy for the researchers to jailbreak their devices and find bugs. This would save them from the pain of sticking to the older versions merely for jalbreaking. Plus, it will also help those interested in bug bounty.
8/ It will also be better for security researchers interested in Apple’s Bug Bounty. They will not need to keep vulnerabilities on hand so that they have access they need for their research. More vulnerabilities might get reported to Apple right away.
— axi0mX (@axi0mX) September 27, 2019
Let us know your thoughts in the comments.
