A security researcher claims to have discovered an unpatchable hardware-based iPhone vulnerability, which affects models from the 4s to the iPhone X and can pave the way for a new wave of iOS "jailbreaking" and hacks to bypass the lockscreen.
On Friday, security researcher axi0mX published a free tool to exploit the "bootrom," which is baked inside the iPhone's memory chip. Finding a flaw in the bootrom is extremely valuable because it functions as the first computer code that loads on an iOS device when it initially starts up.
Normally, you shouldn't be able to change the bootrom. But according to axi0mX, a permanent flaw exists in older iPhone models that can let you exploit the bootrom to theoretically load whatever software process you want.
"Compromising that code is the Holy Grail of hacking," Thomas Reed, an iOS researcher at antivirus firm Malwarebytes, wrote in a blog post about the flaw.
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG — axi0mX (@axi0mX) September 27, 2019
Axi0mX has dubbed the exploit "checkm8" (pronounced as checkmate) and says it works on iPhones running the A5 through A11 chips. However, his tool isn't a full jailbreak, or a way to let you modify iOS and install unsanctioned third-party apps. Rather, it significantly lowers the bar to achieve a full jailbreak.
To exploit the flaw, it appears you need physical access to the iPhone, to which you connect a data cable and run the exploit code. Already, jailbreakers are posting screenshots of the tool working. However, they're reporting that for now, the exploit can only lead to a "tethered jailbreak," meaning you'll have to connect your iPhone to a PC or Mac whenever it goes through a reboot.
According to axi0mX, the exploit tool was released to be a force for good. Security researchers will be able to use it to gain full system-level access to iOS so they can spot bugs more quickly in Apple's software. The jailbreaking community will also benefit; new methods to initiate a full jailbreak will allow consumers to tweak their iPhones how they'd like, regardless of iOS version.
That said, the same exploit will likely be valuable to law enforcement and governments. Controversial forensic and surveillance companies have been selling hacking devices to police departments and US agencies so they can unlock access to a suspect's iPhone. However, privacy experts are concerned the same hacking technologies can be abused for unwarranted searches and surveillance.
"For law enforcement, and the companies that help them unlock iPhones, this is huge," Reed said. "The checkm8 exploit could be used to give them a permanent window into all but the more recent devices."
Security experts are also concerned the same exploit will unleash spyware. "I support people's right to jailbreak their phones. But I'm also bracing myself for the coming upgrades to the capabilities of iOS spouseware and stalkerware," Eva Galperin, directory of cybersecurity at the Electronic Frontier Foundation, tweeted.
So far, Apple has remained quiet about the checkm8 flaw, which could also affect older iOS devices such as iPads, Apple Watches, and Apple TV streaming hubs.