Apple iOS Has Permanent Bootrom Vulnerability'Checkm8' Exploit Poses Risk to Hundreds of Millions of Devices
A security researcher has uncovered what may rank as one of the most significant iOS weakness ever discovered: a flaw that enables bypassing the security protections present in most Apple mobile devices. While the vulnerability can't be patched, an attacker would need physical access to exploit it.
The researcher, who goes by the Twitter handle axi0mX, on Friday announced the “checkm8” exploit. If run successfully, the exploit enables an attacker to install arbitrary code that hasn’t been approved by Apple - potentially including malware or surveillance software - onto an iOS device.
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.— axi0mX (@axi0mX) September 27, 2019
Most generations of iPhones and iPads are vulnerable: from iPhone 4s (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG
Numerous models of iPhones have the flaw, ranging from the iPhone 4s with A5 chip, to the newer iPhone 8 and iPhone X, which has an A11 chip. The flaw is also present on other devices that run iOS, such as iPads, watches and Apple’s TV products. Devices using Apple’s A12 and later chips are not vulnerable.
The research carries two big caveats. First, it’s a tethered exploit, which means that physical access is required to an iOS device to run the code over a USB cable. Also, the flaw is not persistent, meaning that restarting the device would erase any backdoor that has been installed.
Flaw Present in Bootrom Code
The exploit targets a flaw in the bootrom - aka called "SecureROM" - which is code on a read-only memory chip that iOS loads during startup, writes Thomas Reed, a Mac expert at security firm Malwarebytes. According to Apple, bootrom code is literally laid down during chip fabrication. Reed and Ars Technica interviewed axi0mX to get the details of the exploit.
What makes axi0mX’s find so meaningful is that Apple can’t issue a patch to fix the bootrom code. The security implications of this situation are significant. For example, law enforcement agencies or malicious actors in physical possession of a vulnerable device could alter it in tough-to-detect ways, Reed writes.
“For law enforcement, and the companies that help them unlock iPhones, this is huge. (Assuming, of course, that companies like Grayshift and Cellebrite weren’t already aware of this vulnerability),” Reed writes. “The checkm8 exploit would need to be chained together with other vulnerabilities to be useful, but would be attractive as a link in the chain since it cannot be patched by Apple.”
Luckily, the exploit does not work remotely, axi0mX tells Ars Technica.
Apple officials contacted in Sydney didn’t have an immediate comment on the research and its security implications.
Access Depends on Hardware
To date, axi0mX has only released the exploit code via GitHub, which hasn’t been developed into a full “jailbreak” - polished exploit code that allows for installing apps outside of the App Store. But researchers say someone will likely develop a full jailbreak soon, which would then give users the ability to jailbreak their devices, for example, to access app marketplace such as Cydia.
The researcher has shared some insights into how he discovered the flaw. The initial clue came from Apple issuuing a patch for a critical use-after-free vulnerability in the iBoot code during the iOS betas last year, he writes.
“It is likely at least a couple other researchers were able to exploit this vulnerability after discovering the patch,” axi0mX writes on Twitter. “The patch is easy to find, but the vulnerability is not trivial to exploit on most devices.”
The amount of access that the exploit can enable depends on the age of an iOS device, axi0mX says. For example, he says the exploit would have allowed law enforcement to access the data of one of the San Bernardino shooters who used an iPhone 5c.
In early 2016, Apple resisted a court order that required it to develop a special version of iOS in order to bypass the passcode protections the 5c. The case, however, never was fully litigated after the Justice Department dropped it, as the phone was unlocked with the help of a private company (see FBI's Zero-Day iPhone Hack: Many Questions).
Meanwhile, Apple introduced Secure Enclave, a hardware-based key manager for devices with the A7 or later A-series processor. Secure Enclave is designed hold the keys for encrypted data and also acts as a brake for brute-force attempts to uncover a device’s passcode.
Axi0mX tells Ars Technica that his exploit does allow someone to execute code on the device, but that it "does not affect the Secure Enclave at all.” Also, the exploit wouldn’t help an attacker access the encrypted data where the keys get stored in the Secure Enclave, he says. That said, once a person unlocks their phone, malware installed via this exploit could still be able to exfiltrate such data.
Benefit to Researchers
While the requirement for physical access to a device does somewhat mitigate this exploit's sting, it highlights that even for the likes of Apple - a company that makes much ado about privacy and security - security remains challenging.
The exploit also poses serious risks, particularly for people such as activists and dissidents, who may be residing in places with fewer legal protections against government-promulgated surveillance efforts. Also in border areas, such as immigration zones in airports and border crossing in the United States, officials don’t need a warrant to start poking around devices.
Based on the risk posed by the exploit, the security firm Trail of Bits says that “we strongly urge all journalists, activists, and politicians to upgrade to an iPhone that was released in the past two years with an A12 or higher CPU.
“All other devices, including models that are still sold - like the iPhone 8, are vulnerable to this exploit,” the company writes. “Regardless of your device, we also recommend an alphanumeric passcode, rather than a 6-digit numeric passcode. A strong alphanumeric passcode will protect the data on your phone from this and similar attacks.”
Just updated this after having a really good conversation with @axi0mX. I’m less concerned about it now, although think it could still be used maliciously. But I also think the benefits are probably greater for security researchers than the risks are to average users. https://t.co/PxHRW6CYzm— Thomas Reed (@thomasareed) September 27, 2019
For many researchers and other enthusiasts, however, an unpatchable way to get into an iPhone is cause for excitement. For example, Trail of Bits writes that “the exploit also includes the ability to enable debugging features like JTAG on the iPhone CPU - a big win for security researchers and jailbreakers.”
Malwarebytes' Reed writes that the exploit will likely “become one of the most important tools in researchers’ toolkits” as it removes some of the security restriction. It may also end up benefiting Apple down the line, as more researchers with deeper access enabled by the exploit may result in other security issues being reported to it.”