The 'Checkm8' exploit isn't a big deal to iPhone or iPad users, and here's why

Posted:
in iPhone edited September 28
On Friday morning, news -- and bad headlines -- started circulating about an exploit ranging from the iPhone X all the way back to the iPhone 4s. But, despite the typical mass-media responses to the news, the exploit will have effectively zero impact on the consumer. Here's why.

Apple's iPhone 5c, the last without a Secure Enclave
Apple's iPhone 5c, the last without a Secure Enclave


On Friday morning, hacker axi0mX revealed the "Checkm8" exploit. For the first time in nearly a decade, this particular vector is aimed at the boot ROM in an iPhone or iPad, as opposed to trying to pry open the iOS software.

A series of tweets broke down the exploit -- and spelled out some limitations and answers about the exploit. Cue Internet drama.

EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.

Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG

-- axi0mX (@axi0mX)

User vulnerability?

The Checkm8 exploit isn't a drive-by attack. A user can't visit a website and be targeted for malware installation. The exploit isn't persistent, meaning that every time the iPhone is rebooted, the attack vector is closed again.

Earlier iPhones, from the iPhone 5c and earlier, lack a Secure Enclave. If you surrender access to your phone, a dedicated assailant can extract your iPhone PIN. But, phones with a Secure Enclave -- everything from the iPhone 5s and on -- cannot be attacked in such a manner.

Furthermore, the exploit is tethered. That means that an iPhone or iPad needs to be connected to a host computer, put into DFU mode, and exploited that way -- and the exploit doesn't always work, relying on a "race condition" according to Checkm8.

Software like keyloggers or other malware could theoretically be installed following an attack. But, other mechanisms that Apple has put into place will defeat that, following a device reboot.

Apple has implemented what's called a "Secure bootchain." In short, there are steps at every part of iOS software implication that check the integrity of the previous step -- and some that check the next step -- to be sure that the phone is safe. The secure bootchain checks wouldn't allow software that doesn't comply to function after a hard reboot of an iPhone.

We've gleaned this information above from Apple in the hours following the exploit's release. The developer axi0mX confirmed these findings, and discussed the implications further in an Ars Technica interview on Saturday morning.

All this said, in short, a user has to either specifically want to do this procedure to their iPhone and take the steps to execute them, or be careless with device physical security and be specifically targeted by an assailant for it to be of any real concern.

If you're really worried about it, it's time to ditch the iPhone 5c or older that you may be hanging on to. And, you can always completely shut down your iPhone after you've left it unattended for any period of time.

A reboot will not just flush out the exploit, but also break any software that may have been installed in your absence.

Jailbreaking is fine!

We're not opposed to jailbreaking here at AppleInsider. A few staffers have done it in the past.

AppleInsider doesn't generally cover jailbreak exploits. In the cat-and-mouse game that is constantly raging between Apple and the jailbreak community, information published today is often outdated tomorrow. This isn't much different than that in actuality, but it got a much wider audience outside of the tech media.

In that media, in the very few hours after the Checkm8 exploit was revealed, there has been a lot of fear, paranoia, and finger-pointing done across the internet. There is no real reason for it at all. Fortunately, as of yet, there haven't been any "nasty secret" style headlines regarding this matter. We're sure that some content management system someplace has one stored, though, and we're also pretty sure we know who's going to do it first.

Most of the headlines are right. This is a big deal for the jailbreak community. We don't think it's a bad thing at all. Because of limitations for assailants, it just makes no difference to nearly every iPhone or iPad user outside of that community, though.

If you take anything away from this, it should be that your are no less safe today from the reveal of Checkm8 than you were yesterday, or the day before, or four years ago. Malware can't exploit it at all, and if you maintain physical security of your iPhone 5S and newer, then your passcode -- and your data -- remains safe.
applesnorangesVulkanmacseekerStrangeDayscornchip
«1

Comments

  • Reply 1 of 35
    gatorguygatorguy Posts: 21,267member
    For those that miss the articles "blue text link" to the developer's interview at Ars: https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/
    jdb8167CloudTalkinmuthuk_vanalingamCarnage
  • Reply 2 of 35
    sflocalsflocal Posts: 4,748member
    It's shameful how the media, particularly the media that are in the tech sector publish what essentially is a non-issue because they know it attracts visitors to their sites.  Shameful. 
    macseekermagman1979mejsriclkruppcornchipwatto_cobra
  • Reply 4 of 35
    gatorguygatorguy Posts: 21,267member
    gatorguy said:
    ?


    Yeah I know. What did you think I meant when mentioning your "article's blue text link"?

    I posted the long link because some readers don't recognize the blue text as a link, and others simply fail to notice it. That happens regularly here. 
    edited September 28 sphericabedosscornchipn2itivguymuthuk_vanalingamnetmage
  • Reply 5 of 35
    Mike WuertheleMike Wuerthele Posts: 4,989administrator
    gatorguy said:
    gatorguy said:
    ?


    Yeah I know. What did you think I meant when mentioning your "article's blue text link"?

    I posted the long link because some readers don't recognize the blue text as a link, and others simply fail to notice it. That happens regularly here. 
    Aha! Now I understand.
    n2itivguymuthuk_vanalingamwatto_cobra
  • Reply 6 of 35
    Hypothetically wouldn’t this exploit also possibly allow someone to bypass apples iCloud lock? Say you lost your phone or it was stolen so you lock the phone using iCloud wouldn’t this allow a really intelligent thief to run or modify code that bypasses the iCloud lock? Now I’m not talking about secure data because that could be wiped for all they care. If this allows for the eventuality of a jailbreak and the ability to run tethered code it could potentially allow useless phones to become useful and increase thefts provided the phones don’t become blacklisted. I’m not sure if after you bypass the iCloud lock it becomes permanent or not once your outside of the setup screen, but if a jailbreak comes along that allows for semi-tether this could give it persistence.

    What I’m saying is their is still some out of the box risk scenarios. 
    edited September 28 watto_cobra
  • Reply 7 of 35
    Mike WuertheleMike Wuerthele Posts: 4,989administrator
    Vulkan said:
    Hypothetically wouldn’t this exploit also possibly allow someone to bypass apples iCloud lock? Say you lost your phone or it was stolen so you lock the phone using iCloud wouldn’t this allow a really intelligent thief to run or modify code that bypasses the iCloud lock? Now I’m not talking about secure data because that could be wiped for all they care. If this allows for the eventuality of a jailbreak and the ability to run tethered code it could potentially allow useless phones to become useful and increase thefts provided the phones don’t become blacklisted. I’m not sure if after you bypass the iCloud lock it becomes permanent or not once your outside of the setup screen, but if a jailbreak comes along that allows for semi-tether this could give it persistence.

    What I’m saying is their is still some out of the box risk scenarios. 
    No. There's more about why this is the case in the interview with the developer. 

    And, the possibility of theft of an iPad is unchanged with or without the jailbreak. so the threat profile remains the same before and after the reveal of it.
    edited September 28 Vulkanmuthuk_vanalingamwatto_cobranetmage
  • Reply 8 of 35
    Vulkan said:
    Hypothetically wouldn’t this exploit also possibly allow someone to bypass apples iCloud lock? Say you lost your phone or it was stolen so you lock the phone using iCloud wouldn’t this allow a really intelligent thief to run or modify code that bypasses the iCloud lock? Now I’m not talking about secure data because that could be wiped for all they care. If this allows for the eventuality of a jailbreak and the ability to run tethered code it could potentially allow useless phones to become useful and increase thefts provided the phones don’t become blacklisted. I’m not sure if after you bypass the iCloud lock it becomes permanent or not once your outside of the setup screen, but if a jailbreak comes along that allows for semi-tether this could give it persistence.

    What I’m saying is their is still some out of the box risk scenarios. 
    No. There's more about why this is the case in the interview with the developer. 

    And, the possibility of theft of an iPad is unchanged with or without the jailbreak. so the threat profile remains the same before and after the reveal of it.
    Thanks for clarifying. Seems like a lot of speculation was going around about what this exploit can allow. 
    edited September 28 muthuk_vanalingam
  • Reply 9 of 35
    What's the model vulnerability threshold for iPads?
    watto_cobra
  • Reply 10 of 35
    Mike WuertheleMike Wuerthele Posts: 4,989administrator
    boredumb said:
    What's the model vulnerability threshold for iPads?
    iPad Mini 2 and iPad Air and newer have the Secure Enclave.
    watto_cobra
  • Reply 11 of 35
    Vulkan said:
    Hypothetically wouldn’t this exploit also possibly allow someone to bypass apples iCloud lock? Say you lost your phone or it was stolen so you lock the phone using iCloud wouldn’t this allow a really intelligent thief to run or modify code that bypasses the iCloud lock? Now I’m not talking about secure data because that could be wiped for all they care. If this allows for the eventuality of a jailbreak and the ability to run tethered code it could potentially allow useless phones to become useful and increase thefts provided the phones don’t become blacklisted. I’m not sure if after you bypass the iCloud lock it becomes permanent or not once your outside of the setup screen, but if a jailbreak comes along that allows for semi-tether this could give it persistence.

    What I’m saying is their is still some out of the box risk scenarios. 
    No. There's more about why this is the case in the interview with the developer. 

    And, the possibility of theft of an iPad is unchanged with or without the jailbreak. so the threat profile remains the same before and after the reveal of it.
    I’ve done some reading and it looks like my fears are at least confirmed by iOS researcher geosnow who is convinced you’ll be able to use a Custom firmware iCloud lock bypass possibly alongside dumping the secure rom.

    The iCloud lock is the security feature that protects the device after it’s been improperly restored or wiped using DFU mode. The iCloud lock binds the device to the users iCloud account rendering the device useless to anyone that does not have the iCloud account it previously used. 

    Installing a custom ispw or iOS operating system without this security feature in place will allow the hardware ie iPhone or iPad to to be used. The exploit only needs to install the custom iOS onto the device which wasn’t possible before at bootrom level*. I am unsure about SEP’s (Secure Enclave) working in a custom environment, but all that may mean is the iPhone won’t be able to be locked using the Touch ID or FaceID. Persistence may* I’m not sure.. require a computer to reboot. 

    It’s not practical, but it seem like it’s possible for bad actors or people who have a locked iPhone. I don’t endorse this whatsoever, but I think the their is more to it that is still being researched, and may later effect consumers. 


    GeoSnow is a well known iOS security researcher in the Jailbreaking community. Good or bad his pwndfu mode is what he’s working on to install custom ispw’s, or upgrade/downgrade iOS versions. 

    https://jailbreak.fce365.info/Thread-How-to-use-the-Checkm8-BootROM-Exploit-iPwnDFU-on-iOS-8-up-to-iOS-13-1-1

    https://mobile.twitter.com/FCE365

    Edit:
    *Checkm8 in it’s current forum without any other exploits is still tethered so the bypass would still require the device not reboot else the device would require the exploit again to boot. The bypass does not currently allow the Baseband/sim card to function preventing calls.



    In retrospect probably self defeating not wanting this to happen by talking about it... but considering google is a thing what’s out is out. 
    edited September 28 muthuk_vanalingamwatto_cobra
  • Reply 12 of 35
    Mike WuertheleMike Wuerthele Posts: 4,989administrator
    Vulkan said:
    Vulkan said:
    Hypothetically wouldn’t this exploit also possibly allow someone to bypass apples iCloud lock? Say you lost your phone or it was stolen so you lock the phone using iCloud wouldn’t this allow a really intelligent thief to run or modify code that bypasses the iCloud lock? Now I’m not talking about secure data because that could be wiped for all they care. If this allows for the eventuality of a jailbreak and the ability to run tethered code it could potentially allow useless phones to become useful and increase thefts provided the phones don’t become blacklisted. I’m not sure if after you bypass the iCloud lock it becomes permanent or not once your outside of the setup screen, but if a jailbreak comes along that allows for semi-tether this could give it persistence.

    What I’m saying is their is still some out of the box risk scenarios. 
    No. There's more about why this is the case in the interview with the developer. 

    And, the possibility of theft of an iPad is unchanged with or without the jailbreak. so the threat profile remains the same before and after the reveal of it.
    I’ve done some reading and it looks like my fears are at least confirmed by iOS researcher geosnow who is convinced you’ll be able to use a Custom firmware iCloud lock bypass possibly alongside dumping the secure rom.

    The iCloud lock is the security feature that protects the device after it’s been improperly restored or wiped using DFU mode. The iCloud lock binds the device to the users iCloud account rendering the device useless to anyone that does not have the iCloud account it previously used. 

    Installing a custom ispw or iOS operating system without this security feature in place will allow the hardware ie iPhone or iPad to to be used. The exploit only needs to install the custom iOS onto the device which wasn’t possible before at bootrom level. I am unsure about SEP’s (Secure Enclave) working in a custom environment, but all that may mean is the iPhone won’t be able to be locked using the Touch ID or FaceID. Persistence may* I’m not sure.. require a computer to reboot. 

    It’s not practical, but it seem like it’s possible for bad actors or people who have a locked iPhone. I don’t endorse this whatsoever, but I think the their is more to it that is still being researched, and may later effect consumers. 


    GeoSnow is a well known iOS security researcher in the Jailbreaking community. Good or bad his pwndfu mode is what he’s working on to install custom ispw’s, or upgrade/downgrade iOS versions. 

    https://jailbreak.fce365.info/Thread-How-to-use-the-Checkm8-BootROM-Exploit-iPwnDFU-on-iOS-8-up-to-iOS-13-1-1

    https://mobile.twitter.com/FCE365

    I know who GeoSnow is, and he hasn't said anything in regards to what you're proposing here. 

    An iCloud lock isn't bypassed by a DFU in any way, and as it stands, this won't let you do that either. And, even if there is some chain that leads to that, it still won't be persistent if it needs Checkm8 to execute and run -- and, again, the user's data is still in no danger.

    Even if it works in an improbable chain of attacks, you're right -- It isn't practical, isn't cost-effective, and there's still money to be made in selling parts from a stolen device. Nothing has changed. The threat to users remains unchanged.
    edited September 28 muthuk_vanalingamwatto_cobranetmage
  • Reply 13 of 35
    So it sounds like my skepticism was right. When this hit the news Friday I thought "Extraordinary claims require extraordinary proof." Now that the other shoe is dropped it isn't nearly as dangerous as advertised. 
    watto_cobra
  • Reply 14 of 35
    Dang. If this is happening to old iPhones, imagine what is happening to old and current android devices...
    macseekerviclauyycwatto_cobra
  • Reply 15 of 35
    Can anyone comment on the implications for the iPod Touch? As far as I know it never had the Secure Enclave, including the latest model. I'm thinking that it's so similar to the iPhone that it has the same boot ROM.
    watto_cobra
  • Reply 16 of 35
    Vulkan said:
    Vulkan said:
    Hypothetically wouldn’t this exploit also possibly allow someone to bypass apples iCloud lock? Say you lost your phone or it was stolen so you lock the phone using iCloud wouldn’t this allow a really intelligent thief to run or modify code that bypasses the iCloud lock? Now I’m not talking about secure data because that could be wiped for all they care. If this allows for the eventuality of a jailbreak and the ability to run tethered code it could potentially allow useless phones to become useful and increase thefts provided the phones don’t become blacklisted. I’m not sure if after you bypass the iCloud lock it becomes permanent or not once your outside of the setup screen, but if a jailbreak comes along that allows for semi-tether this could give it persistence.

    What I’m saying is their is still some out of the box risk scenarios. 
    No. There's more about why this is the case in the interview with the developer. 

    And, the possibility of theft of an iPad is unchanged with or without the jailbreak. so the threat profile remains the same before and after the reveal of it.
    I’ve done some reading and it looks like my fears are at least confirmed by iOS researcher geosnow who is convinced you’ll be able to use a Custom firmware iCloud lock bypass possibly alongside dumping the secure rom.

    The iCloud lock is the security feature that protects the device after it’s been improperly restored or wiped using DFU mode. The iCloud lock binds the device to the users iCloud account rendering the device useless to anyone that does not have the iCloud account it previously used. 

    Installing a custom ispw or iOS operating system without this security feature in place will allow the hardware ie iPhone or iPad to to be used. The exploit only needs to install the custom iOS onto the device which wasn’t possible before at bootrom level. I am unsure about SEP’s (Secure Enclave) working in a custom environment, but all that may mean is the iPhone won’t be able to be locked using the Touch ID or FaceID. Persistence may* I’m not sure.. require a computer to reboot. 

    It’s not practical, but it seem like it’s possible for bad actors or people who have a locked iPhone. I don’t endorse this whatsoever, but I think the their is more to it that is still being researched, and may later effect consumers. 


    GeoSnow is a well known iOS security researcher in the Jailbreaking community. Good or bad his pwndfu mode is what he’s working on to install custom ispw’s, or upgrade/downgrade iOS versions. 

    https://jailbreak.fce365.info/Thread-How-to-use-the-Checkm8-BootROM-Exploit-iPwnDFU-on-iOS-8-up-to-iOS-13-1-1

    https://mobile.twitter.com/FCE365

    I know who GeoSnow is, and he hasn't said anything in regards to what you're proposing here. 

    An iCloud lock isn't bypassed by a DFU in any way, and as it stands, this won't let you do that either. And, even if there is some chain that leads to that, it still won't be persistent if it needs Checkm8 to execute and run -- and, again, the user's data is still in no danger.

    Even if it works in an improbable chain of attacks, you're right -- It isn't practical, isn't cost-effective, and there's still money to be made in selling parts from a stolen device. Nothing has changed. The threat to users remains unchanged.


    He literally said it on his twitter and his fourm has threads dedicated to creating custom iCloud bypass firmware up to the iPhone X. 



    But your right their isn’t further risk today to users then yesterday or a couple years ago. 

    Anyways... time will tell what they come up with. Gonna have to see how this all plays out just hoping your right and it’s just ends up simply as being good news for the JB community with no downsides. 
  • Reply 17 of 35
    Mike WuertheleMike Wuerthele Posts: 4,989administrator
    linkman said:
    Can anyone comment on the implications for the iPod Touch? As far as I know it never had the Secure Enclave, including the latest model. I'm thinking that it's so similar to the iPhone that it has the same boot ROM.
    The seventh generation does have the Secure Enclave.
    cornchip
  • Reply 18 of 35
    Very good article, thank you.
    watto_cobra
  • Reply 19 of 35
    I’ve read a couple of those other “the sky is falling” articles and they’ve left me scratching my head.

    The exploit isn’t that big a deal.  If someone has physical access to your phone, jailbreaks it (wiping the data), and gives it back to you... and you don’t notice.  You’ve got bigger problems...

    Congrats to people that like jailbreaking their phones!  Mostly security researchers...

    Everyone else, go about your business as usual.

    edited September 28 agilealtitudeVulkanDAalsethpscooter63Deelronviclauyycuraharacornchipwatto_cobra
  • Reply 20 of 35
    These excuses would never fly around here for Android, so why iOS? Almost no software is going to be 100% bug free. Just accept it for what it is and leave the excuses. 
Sign In or Register to comment.