The 'Checkm8' exploit isn't a big deal to iPhone or iPad users, and here's why
On Friday morning, news -- and bad headlines -- started circulating about an exploit ranging from the iPhone X all the way back to the iPhone 4s. But, despite the typical mass-media responses to the news, the exploit will have effectively zero impact on the consumer. Here's why.
Apple's iPhone 5c, the last without a Secure Enclave
On Friday morning, hacker axi0mX revealed the "Checkm8" exploit. For the first time in nearly a decade, this particular vector is aimed at the boot ROM in an iPhone or iPad, as opposed to trying to pry open the iOS software.
A series of tweets broke down the exploit -- and spelled out some limitations and answers about the exploit. Cue Internet drama.
Earlier iPhones, from the iPhone 5c and earlier, lack a Secure Enclave. If you surrender access to your phone, a dedicated assailant can extract your iPhone PIN. But, phones with a Secure Enclave -- everything from the iPhone 5s and on -- cannot be attacked in such a manner.
Furthermore, the exploit is tethered. That means that an iPhone or iPad needs to be connected to a host computer, put into DFU mode, and exploited that way -- and the exploit doesn't always work, relying on a "race condition" according to Checkm8.
Software like keyloggers or other malware could theoretically be installed following an attack. But, other mechanisms that Apple has put into place will defeat that, following a device reboot.
Apple has implemented what's called a "Secure bootchain." In short, there are steps at every part of iOS software implication that check the integrity of the previous step -- and some that check the next step -- to be sure that the phone is safe. The secure bootchain checks wouldn't allow software that doesn't comply to function after a hard reboot of an iPhone.
We've gleaned this information above from Apple in the hours following the exploit's release. The developer axi0mX confirmed these findings, and discussed the implications further in an Ars Technica interview on Saturday morning.
All this said, in short, a user has to either specifically want to do this procedure to their iPhone and take the steps to execute them, or be careless with device physical security and be specifically targeted by an assailant for it to be of any real concern.
If you're really worried about it, it's time to ditch the iPhone 5c or older that you may be hanging on to. And, you can always completely shut down your iPhone after you've left it unattended for any period of time.
A reboot will not just flush out the exploit, but also break any software that may have been installed in your absence.
AppleInsider doesn't generally cover jailbreak exploits. In the cat-and-mouse game that is constantly raging between Apple and the jailbreak community, information published today is often outdated tomorrow. This isn't much different than that in actuality, but it got a much wider audience outside of the tech media.
In that media, in the very few hours after the Checkm8 exploit was revealed, there has been a lot of fear, paranoia, and finger-pointing done across the internet. There is no real reason for it at all. Fortunately, as of yet, there haven't been any "nasty secret" style headlines regarding this matter. We're sure that some content management system someplace has one stored, though, and we're also pretty sure we know who's going to do it first.
Most of the headlines are right. This is a big deal for the jailbreak community. We don't think it's a bad thing at all. Because of limitations for assailants, it just makes no difference to nearly every iPhone or iPad user outside of that community, though.
If you take anything away from this, it should be that your are no less safe today from the reveal of Checkm8 than you were yesterday, or the day before, or four years ago. Malware can't exploit it at all, and if you maintain physical security of your iPhone 5S and newer, then your passcode -- and your data -- remains safe.
Apple's iPhone 5c, the last without a Secure Enclave
On Friday morning, hacker axi0mX revealed the "Checkm8" exploit. For the first time in nearly a decade, this particular vector is aimed at the boot ROM in an iPhone or iPad, as opposed to trying to pry open the iOS software.
A series of tweets broke down the exploit -- and spelled out some limitations and answers about the exploit. Cue Internet drama.
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG-- axi0mX (@axi0mX)
User vulnerability?
The Checkm8 exploit isn't a drive-by attack. A user can't visit a website and be targeted for malware installation. The exploit isn't persistent, meaning that every time the iPhone is rebooted, the attack vector is closed again.Earlier iPhones, from the iPhone 5c and earlier, lack a Secure Enclave. If you surrender access to your phone, a dedicated assailant can extract your iPhone PIN. But, phones with a Secure Enclave -- everything from the iPhone 5s and on -- cannot be attacked in such a manner.
Furthermore, the exploit is tethered. That means that an iPhone or iPad needs to be connected to a host computer, put into DFU mode, and exploited that way -- and the exploit doesn't always work, relying on a "race condition" according to Checkm8.
Software like keyloggers or other malware could theoretically be installed following an attack. But, other mechanisms that Apple has put into place will defeat that, following a device reboot.
Apple has implemented what's called a "Secure bootchain." In short, there are steps at every part of iOS software implication that check the integrity of the previous step -- and some that check the next step -- to be sure that the phone is safe. The secure bootchain checks wouldn't allow software that doesn't comply to function after a hard reboot of an iPhone.
We've gleaned this information above from Apple in the hours following the exploit's release. The developer axi0mX confirmed these findings, and discussed the implications further in an Ars Technica interview on Saturday morning.
All this said, in short, a user has to either specifically want to do this procedure to their iPhone and take the steps to execute them, or be careless with device physical security and be specifically targeted by an assailant for it to be of any real concern.
If you're really worried about it, it's time to ditch the iPhone 5c or older that you may be hanging on to. And, you can always completely shut down your iPhone after you've left it unattended for any period of time.
A reboot will not just flush out the exploit, but also break any software that may have been installed in your absence.
Jailbreaking is fine!
We're not opposed to jailbreaking here at AppleInsider. A few staffers have done it in the past.AppleInsider doesn't generally cover jailbreak exploits. In the cat-and-mouse game that is constantly raging between Apple and the jailbreak community, information published today is often outdated tomorrow. This isn't much different than that in actuality, but it got a much wider audience outside of the tech media.
In that media, in the very few hours after the Checkm8 exploit was revealed, there has been a lot of fear, paranoia, and finger-pointing done across the internet. There is no real reason for it at all. Fortunately, as of yet, there haven't been any "nasty secret" style headlines regarding this matter. We're sure that some content management system someplace has one stored, though, and we're also pretty sure we know who's going to do it first.
Most of the headlines are right. This is a big deal for the jailbreak community. We don't think it's a bad thing at all. Because of limitations for assailants, it just makes no difference to nearly every iPhone or iPad user outside of that community, though.
If you take anything away from this, it should be that your are no less safe today from the reveal of Checkm8 than you were yesterday, or the day before, or four years ago. Malware can't exploit it at all, and if you maintain physical security of your iPhone 5S and newer, then your passcode -- and your data -- remains safe.
Comments
I posted the long link because some readers don't recognize the blue text as a link, and others simply fail to notice it. That happens regularly here.
What I’m saying is their is still some out of the box risk scenarios.
And, the possibility of theft of an iPad is unchanged with or without the jailbreak. so the threat profile remains the same before and after the reveal of it.
The iCloud lock is the security feature that protects the device after it’s been improperly restored or wiped using DFU mode. The iCloud lock binds the device to the users iCloud account rendering the device useless to anyone that does not have the iCloud account it previously used.
Installing a custom ispw or iOS operating system without this security feature in place will allow the hardware ie iPhone or iPad to to be used. The exploit only needs to install the custom iOS onto the device which wasn’t possible before at bootrom level*. I am unsure about SEP’s (Secure Enclave) working in a custom environment, but all that may mean is the iPhone won’t be able to be locked using the Touch ID or FaceID. Persistence may* I’m not sure.. require a computer to reboot.
https://jailbreak.fce365.info/Thread-How-to-use-the-Checkm8-BootROM-Exploit-iPwnDFU-on-iOS-8-up-to-iOS-13-1-1
https://mobile.twitter.com/FCE365
Even if it works in an improbable chain of attacks, you're right -- It isn't practical, isn't cost-effective, and there's still money to be made in selling parts from a stolen device. Nothing has changed. The threat to users remains unchanged.
Anyways... time will tell what they come up with. Gonna have to see how this all plays out just hoping your right and it’s just ends up simply as being good news for the JB community with no downsides.
The exploit isn’t that big a deal. If someone has physical access to your phone, jailbreaks it (wiping the data), and gives it back to you... and you don’t notice. You’ve got bigger problems...
Congrats to people that like jailbreaking their phones! Mostly security researchers...
Everyone else, go about your business as usual.