9.3 C
New York
Thursday, March 28, 2024

Unfixable Exploit Is the Latest Apple Security Upheaval

For the last several years, so-called jailbreaks of iPhones—cracking iOS to let any software run on the device—have been exceedingly rare. When one appeared in August for iOS 12, it was surprising to even the most dedicated Apple hackers. But today a security researcher published an exploit that lays the foundation to jailbreak almost every single iOS device released between 2011 and 2017, including most models of iPad, Apple Watch, iPod Touch, and Apple TV. The implications are staggering.

Security researcher Axi0mX published the exploit, called "checkm8," Friday on Github. It affects every Apple device with an A5 through A11 chipset, meaning every iPhone model from 4S to X. Though it isn't an all-in-one jailbreak on its own, the exploit provides an extensive foundation for researchers to build off of in customizing jailbreaks for every vulnerable model of device that would allow them to totally take over the unit, run software far beyond what Apple normally allows, and program apps to interact and share data in ways that Apple's protections usually preclude.

"It's a big day," Axi0mX told WIRED. "The best days for iOS jailbreaking were years ago, when jailbreaks were common, easy to use, and available often. That changed over time and since iOS 9 jailbreaks became less frequent, much less convenient, and not something easily accessible to everyone."

>

The jailbreak hinges on flaws in Apple's "bootrom," memory in the processor that contains the fundamental code that runs first when a device powers on. Axi0mX found the bootrom vulnerability by reverse-engineering and examining a patch Apple released in summer 2018 for the iOS 12 beta. Since bootrom is foundational to a system, such exploits can be used to create extremely powerful jailbreaks that don't depend on vulnerabilities specific to a particular iOS version. Even if an older device is running the recently released iOS 13, it's still affected because the chip inside it is vulnerable. Before today, the most recent known bootrom exploit for an iOS device was for the 2010 iPhone 4.

Apple did not return a request from WIRED for comment.

"Seriously it’s some killer work here," says Will Strafach, a longtime iOS jailbreaker and founder of the Guardian Firewall app. "You can’t fix this on the old devices, because you are running this from bootrom level. You cannot update bootrom."

Researchers say that Axi0mX's release represents a pivotal shift in the iOS security landscape. For the jailbreaking community, which works to tear free of Apple's restrictive ecosystem in large part to be able to conduct more extensive security analysis, the findings will make it much easier to unshackle a slew of devices. And since researchers will still be able to keep those devices up to date with the latest iOS releases, they will potentially be able both to find and report bugs to Apple more quickly, and protect their test devices from attacks.

Strafach and others also note that these extensive jailbreak capabilities largely eliminate the need for the special research iPhones Apple recently announced. Those devices, which Apple is only giving to select researchers, have fewer protections and restrictions to make it easier to assess iOS security. But the ability to jailbreak recent iPhones running the current iOS will deliver similar insights to many more researchers. In spite of Apple's recent gestures of goodwill toward the iOS research community, the company continues to resist collaboration. Just last month, Apple sued a company called Corellium for creating a tool that allows customers to prod a virtualized version of iOS.

"This is probably the biggest thing to cross most iOS security researchers’ desks in their entire careers to date," says Thomas Reed, a Mac and mobile malware research specialist at the security firm Malwarebytes. "If you're anyone else, it's horrifying."

That's because Axi0mX's findings also have major implications for iOS device security, if bad actors abuse the publicly available vulnerability. Fortunately, the exploit doesn't break Apple's Secure Enclave, which holds the keys to decrypt data already on the device. "You could jailbreak and install anything you want, but couldn't decrypt existing device data like messages, mail, et cetera," says Kenn White, a security engineer and director of the Open Crypto Audit Project.

But it could still allow attackers to wipe iPhones, jailbreak them, and then install malware. An attacker needs physical access to the device to run this exploit, and the compromise ends when someone reboots it, but that still has concerning implications for stalkerware used by abusive partners, among other precarious situations.

"It is possible that bad actors would use this, but I doubt it would be the first choice," Axi0mX told WIRED. "I don't think that somehow this makes things much worse than other options available. It requires physical access to the device and a reboot. But it could potentially be used by bad actors, say at border crossings or if devices are left unattended."

>

Since the exploit doesn't give an attacker access to existing device data, it seems that it won't be immediately useful for targeted espionage. But on Friday, researchers speculated that nation state hackers and law enforcement contractors like Cellebrite and Grayshift will likely look for ways to use the exploit in surveillance and device compromise. Shahar Tal, vice president of research at Cellebrite, tweeted on Friday that with his exploit release Axi0mX "overturned the iOS research landscape for years to come. This goes down in exploitation history."

Though the newer chipsets in the iPhone XS and XR from last year and recently released iPhone 11 and 11 Pro are not vulnerable to Axi0mX's exploit, it will take years for the population of vulnerable devices to drop off. And Apple's strong iOS upgrade rates won't help mitigate it.

"iPhone X and below are vulnerable forever. It's incredible," says Jose Rodriguez, a longtime iOS security researcher who specializes in lockscreen bypasses. "This will have enormous repercussions for Apple."

Related Articles

Latest Articles