Hypothetically wouldn’t this exploit also possibly allow someone to bypass apples iCloud lock? Say you lost your phone or it was stolen so you lock the phone using iCloud wouldn’t this allow a really intelligent thief to run or modify code that bypasses the iCloud lock? Now I’m not talking about secure data because that could be wiped for all they care. If this allows for the eventuality of a jailbreak and the ability to run tethered code it could potentially allow useless phones to become useful and increase thefts provided the phones don’t become blacklisted. I’m not sure if after you bypass the iCloud lock it becomes permanent or not once your outside of the setup screen, but if a jailbreak comes along that allows for semi-tether this could give it persistence.
What I’m saying is their is still some out of the box risk scenarios.
No. There's more about why this is the case in the interview with the developer.
And, the possibility of theft of an iPad is unchanged with or without the jailbreak. so the threat profile remains the same before and after the reveal of it.
I’ve done some reading and it looks like my fears are at least confirmed by iOS researcher geosnow who is convinced you’ll be able to use a Custom firmware iCloud lock bypass possibly alongside dumping the secure rom.
The iCloud lock is the security feature that protects the device after it’s been improperly restored or wiped using DFU mode. The iCloud lock binds the device to the users iCloud account rendering the device useless to anyone that does not have the iCloud account it previously used.
Installing a custom ispw or iOS operating system without this security feature in place will allow the hardware ie iPhone or iPad to to be used. The exploit only needs to install the custom iOS onto the device which wasn’t possible before at bootrom level. I am unsure about SEP’s (Secure Enclave) working in a custom environment, but all that may mean is the iPhone won’t be able to be locked using the Touch ID or FaceID. Persistence may* I’m not sure.. require a computer to reboot.
It’s not practical, but it seem like it’s possible for bad actors or people who have a locked iPhone. I don’t endorse this whatsoever, but I think the their is more to it that is still being researched, and may later effect consumers.
GeoSnow is a well known iOS security researcher in the Jailbreaking community. Good or bad his pwndfu mode is what he’s working on to install custom ispw’s, or upgrade/downgrade iOS versions.
I know who GeoSnow is, and he hasn't said anything in regards to what you're proposing here.
An iCloud lock isn't bypassed by a DFU in any way, and as it stands, this won't let you do that either. And, even if there is some chain that leads to that, it still won't be persistent if it needs Checkm8 to execute and run -- and, again, the user's data is still in no danger.
Even if it works in an improbable chain of attacks, you're right -- It isn't practical, isn't cost-effective, and there's still money to be made in selling parts from a stolen device. Nothing has changed. The threat to users remains unchanged.
He literally said it on his twitter and his fourm has threads dedicated to creating custom iCloud bypass firmware up to the iPhone X.
But your right their isn’t further risk today to users then yesterday or a couple years ago.
Anyways... time will tell what they come up with. Gonna have to see how this all plays out just hoping your right and it’s just ends up simply as being good news for the JB community with no downsides.
I think he’s full of shit. Without persistence you won’t be able to bypass Activation Lock. Without persistence you can’t have a jailbroken device that’s “permanently” jailbroken.
Hypothetically wouldn’t this exploit also possibly allow someone to bypass apples iCloud lock? Say you lost your phone or it was stolen so you lock the phone using iCloud wouldn’t this allow a really intelligent thief to run or modify code that bypasses the iCloud lock? Now I’m not talking about secure data because that could be wiped for all they care. If this allows for the eventuality of a jailbreak and the ability to run tethered code it could potentially allow useless phones to become useful and increase thefts provided the phones don’t become blacklisted. I’m not sure if after you bypass the iCloud lock it becomes permanent or not once your outside of the setup screen, but if a jailbreak comes along that allows for semi-tether this could give it persistence.
What I’m saying is their is still some out of the box risk scenarios.
No. There's more about why this is the case in the interview with the developer.
And, the possibility of theft of an iPad is unchanged with or without the jailbreak. so the threat profile remains the same before and after the reveal of it.
I’ve done some reading and it looks like my fears are at least confirmed by iOS researcher geosnow who is convinced you’ll be able to use a Custom firmware iCloud lock bypass possibly alongside dumping the secure rom.
The iCloud lock is the security feature that protects the device after it’s been improperly restored or wiped using DFU mode. The iCloud lock binds the device to the users iCloud account rendering the device useless to anyone that does not have the iCloud account it previously used.
Installing a custom ispw or iOS operating system without this security feature in place will allow the hardware ie iPhone or iPad to to be used. The exploit only needs to install the custom iOS onto the device which wasn’t possible before at bootrom level. I am unsure about SEP’s (Secure Enclave) working in a custom environment, but all that may mean is the iPhone won’t be able to be locked using the Touch ID or FaceID. Persistence may* I’m not sure.. require a computer to reboot.
It’s not practical, but it seem like it’s possible for bad actors or people who have a locked iPhone. I don’t endorse this whatsoever, but I think the their is more to it that is still being researched, and may later effect consumers.
GeoSnow is a well known iOS security researcher in the Jailbreaking community. Good or bad his pwndfu mode is what he’s working on to install custom ispw’s, or upgrade/downgrade iOS versions.
I know who GeoSnow is, and he hasn't said anything in regards to what you're proposing here.
An iCloud lock isn't bypassed by a DFU in any way, and as it stands, this won't let you do that either. And, even if there is some chain that leads to that, it still won't be persistent if it needs Checkm8 to execute and run -- and, again, the user's data is still in no danger.
Even if it works in an improbable chain of attacks, you're right -- It isn't practical, isn't cost-effective, and there's still money to be made in selling parts from a stolen device. Nothing has changed. The threat to users remains unchanged.
He literally said it on his twitter and his fourm has threads dedicated to creating custom iCloud bypass firmware up to the iPhone X.
But your right their isn’t further risk today to users then yesterday or a couple years ago.
Anyways... time will tell what they come up with. Gonna have to see how this all plays out just hoping your right and it’s just ends up simply as being good news for the JB community with no downsides.
I think he’s full of shit. Without persistence you won’t be able to bypass Activation Lock. Without persistence you can’t have a jailbroken device that’s “permanently” jailbroken.
Honestly I think your probably right... I think I might be confusing Geohotz actual credibility with Geosnow.. I’ve seen Geosnow around reddit jailbreak forum a lot, and think he might be a actual iOS researcher, but from what I can tell his credibility/relevance seem.. iffy although he was credited by Pwn20wnd for contributions to the uncover jailbreak.
Can’t honestly tell if what he claims is legit now, but hopefully you can see my confusion.
From a more environmental perspective I'd welcome either a persistent exploit or Apple to 'free' older devices from the jail they're in. When possible I'll install Linux on my ancient iPad-1 so I can still use it for checking TV schedules and using it in the kitchen - I don't allow my kids to use our more recent iPads here. We're still using that iPad-1 for exactly these purposes but as Safari does break down on quite some websites, that's a negative user experience (are you listening, Apple?). It sure would improve the value-for-money impression.
I actually get quite frustrated I have to ditch hardware which still runs good enough for several tasks just because software is limiting it. And it's Apple feeding that frustration as they're responsible for this limitation (still listening Apple? As this is another negative user experience). My frustration lessens when I have to ditch it when the hardware breaks down beyond repair. After over 9 years of use, I guess I won't even consider replacing the (still original) battery.
For a moment I felt Checkm8 was a promising key to save for our old hardware. But after some more reading I realized it was not as the exploit is not persistent.
From a more environmental perspective I'd welcome either a persistent exploit or Apple to 'free' older devices from the jail they're in. When possible I'll install Linux on my ancient iPad-1 so I can still use it for checking TV schedules and using it in the kitchen - I don't allow my kids to use our more recent iPads here. We're still using that iPad-1 for exactly these purposes but as Safari does break down on quite some websites, that's a negative user experience (are you listening, Apple?). It sure would improve the value-for-money impression.
I actually get quite frustrated I have to ditch hardware which still runs good enough for several tasks just because software is limiting it. And it's Apple feeding that frustration as they're responsible for this limitation (still listening Apple? As this is another negative user experience). My frustration lessens when I have to ditch it when the hardware breaks down beyond repair. After over 9 years of use, I guess I won't even consider replacing the (still original) battery.
For a moment I felt Checkm8 was a promising key to save for our old hardware. But after some more reading I realized it was not as the exploit is not persistent.
Can you explain this need for a TV guide that won't run on an iPad but instead can only work by formatting the iPad and installing Linux?
These excuses would never fly around here for Android, so why iOS? Almost no software is going to be 100% bug free. Just accept it for what it is and leave the excuses.
You seem to be confusing explanations with excuses.
What's the model vulnerability threshold for iPads?
iPad Mini 2 and iPad Air and newer have the Secure Enclave.
Why do they claim iPhone 4s to iPhone X when anything above iPhone 5s has Secure Enclave?
The Boot ROM exploit can be used on anything up to and including an iPhone X. It can't be used to exfiltrate data on phones with a secure enclave.
A user's data, including passcode. is safe from third-party access regardless of exploit because of that secure enclave.
That’s not quite correct. Because only A11 (iPhone 8 and X) and later Secure Enclaves implement anti-replay features, it is possible to use this exploit in conjunction with a replay attack to brute force the PIN and extract the data if the PIN is simple enough. Even a six digit PIN is probably not complex enough to be protection, you need to use a passcode. Assuming you have the ten try limit enabled.
This simplifies the replay attack to being software only, so someone could take your phone, extract the PIN and all data and unlock it and use it, probably within a few hours. Previous replay attacks required opening the phone to work on the memory storing the counter limiting PIN tries directly.
What's the model vulnerability threshold for iPads?
iPad Mini 2 and iPad Air and newer have the Secure Enclave.
Why do they claim iPhone 4s to iPhone X when anything above iPhone 5s has Secure Enclave?
The Secure Enclave only protects securely stores encrypted keys think of it like a TPM trusted platform module on windows, it is a separate piece hardware that acts like a filter to the processor and cannot be manipulated.
With or without a Secure Enclave the user data is encrypted... just is more vulnerable without it. The Secure Enclave does not prevent unsigned applications from running that’s part of the operating systems software security.
Comments
https://www.forbes.com/sites/ewanspence/2019/09/27/apple-news-headlines-iphone-12-leak-iphone-11-review-camera-mabook-pro-specs-danger-ios13/
A user's data, including passcode. is safe from third-party access regardless of exploit because of that secure enclave.
”unpatchable” LoL
This simplifies the replay attack to being software only, so someone could take your phone, extract the PIN and all data and unlock it and use it, probably within a few hours. Previous replay attacks required opening the phone to work on the memory storing the counter limiting PIN tries directly.