Today, an iOS security researcher who earlier developed software to “jailbreak” older Apple iOS devices posted a new software tool that he claims uses a “permanent unpatchable bootrom exploit” that could bypass boot security for millions of Apple devices, from the iPhone 4S to the iPhone X. The developer, who goes by axi0mX on Twitter and GitHub, posted via Twitter, “This is possibly the biggest news in iOS jailbreak community in years. I am releasing my exploit for free for the benefit of iOS jailbreak and security research community.”
The exploit has not yet been turned into a kit for jailbreaking the phone, something that requires specialized hardware and software. But it does provide a gateway for other attacks against the security of the device, allowing boot-level access to the phone’s internal software.
EPIC JAILBREAK: Introducing checkm8 (read “checkmate”), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG
— axi0mX (@axi0mX) September 27, 2019
“What I am releasing today is not a full jailbreak with Cydia [an alternative package manager for jailbroken iOS devices], just an exploit,” axi0mX wrote. “Researchers and developers can use it to dump SecureROM [the boot ROM code], decrypt keybags [the escrow memory with the keys for all encrypted data on the device] with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.” (JTAG is “Joint Test Action Group,” an interface used for verifying printed circuit boards sometimes leveraged in forensic examination of smartphones.)
The developer said the attack used in the exploit “uses a race condition” to defeat the secure boot but is not yet entirely reliable. It can only be executed locally over USB. The vulnerability was uncovered as the result of a patch issued to the beta of iOS 12 in the summer of 2018, axi0mX said.
It’s possible that this exploit has been found by other researchers and is already in use, especially via tools used by intelligence and law enforcement agencies, such as GreyShift’s GreyKey. Many of these tools use proprietary hardware to collect data off iOS devices.
Ars contacted Apple for comment and has not received a response; this story will be updated as more information becomes available.