‘Unpatchable’ iOS exploit could allow for a permanent jailbreak for iPhones
A security researcher has released an iOS exploit for iPhone 4S through iPhone X that could potentially lead to a permanent jailbreak.
axi0mX, the pretty well-known iOS hacker and cybersecurity researcher, has publicly released what he claims to be a “permanent unpatchable bootrom exploit,” which is capable of working all on devices with an A5 chip (iPhone 4S) to an A11 chip (iPhone X). However, devices like iPhone XS range and the recently released iPhone 11 are spared, as the exploit doesn’t work on A12 and A13 chipsets. Not only iPhones but also several iPad models including the fifth-generation iPod Touch and later models are vulnerable to the exploit.
The exploit dubbed ‘Checkm8’ leverages unpatchable security vulnerability in Apple’s bootrom (SecureROM) – the first significant code that runs on an Apple device and is read-only memory – which means it does not get overwritten when Apple releases a new version of its operating system. If exploited, it gives give iOS users or hackers full control over iPhones.
“EPIC JAILBREAK: Introducing checkm8 (read “checkmate”), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices,” announced axi0mX on Twitter, who also shared a link on GitHub and put a disclaimer that the tool could potentially brick your device.
axi0mX further added, “The last iOS device with a public bootrom exploit until today was iPhone 4, which was released in 2010. This is possibly the biggest news in iOS jailbreak community in years. I am releasing my exploit for free for the benefit of iOS jailbreak and security research community.”
The reason that Apple cannot patch this exploit via an over-the-air (OTA) update is because the bootrom is read-only. The only way to fix the patch is to do physical modifications to an iPhone’s chips, which means the affected devices are jailbroken for life.
It should be noted that Checkm8 is just an exploit, and not a full-fledged tool for jailbreaking with Cydia, that researchers and developers can use to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. However, one would still require additional hardware and software to use JTAG.
“Maybe someone can figure out a nice way to use JTAG on iPhone without proprietary hardware and software,” axi0mX wrote. “I and many others would be forever grateful if someone makes that possible.”
Having said this, the good news is that this potential jailbreak is tethered, which means that the exploit would only be possible on a vulnerable iOS device that is connected to a computer via a USB cable. This means that it is unlikely to infect older version of iPhone while browsing the web.
Apple has yet to comment on the matter.
The new exploit comes exactly a month after Apple had mistakenly unpatched a vulnerability in the latest iOS version 12.4 that led to a public jailbreak. Apple has since fixed the critical jailbreak vulnerability with an emergency update.