Disassembled iPhone showing the new un-patchable iPhone exploit that allows permanent jailbreak
The New Unpatchable iPhone Exploit That Allows Permanent Jailbreak Is a Game-Changer for Mobile Security by Scott Ikeda

The New Unpatchable iPhone Exploit That Allows Permanent Jailbreak Is a Game-Changer for Mobile Security

Apple’s handling of device security has always been one of the company’s strongest selling points. A new iPhone exploit that allows anyone with physical access to a phone to permanently jailbreak it has changed everything. While the exploit does not compromise Apple’s most recent phones (or likely any going forward), all existing devices from 2011’s iPhone 4S to the more recent iPhone X are now permanently vulnerable and can only be fixed by returning the device to Apple for a hardware adjustment. All of the iPads are vulnerable, including the one just released last week, along with nearly all of the Apple TV models.

The new iPhone exploit: Breaking BootROM

The core of iPhone’s security is its encrypted bootROM. This is a local chip found on every device the company ships that serves as the first (and most critical) step in securing the device.

Apple’s security always hinged on the bootROM being virtually unbreakable. Well, someone finally broke it. The “checkm8” exploit, discovered by a security researcher who goes by the handle “axi0mX”, makes it possible to bypass the bootROM with physical access to the device by USB cable.

The biggest security issue this creates is a new market for stolen iPhones. Previously, once an owner discovered the phone was stolen and had it hard-locked, it was so difficult to evade detection and make the phone usable again that most criminals did not bother. The only market for stolen iPhones was stripping them down for parts, something so relatively low in value that it was not a serious concern.

Targeted iPhone thefts will once again become a major concern with this vulnerability out in the wild. A thief will only need to get the phone to a computer and run the exploit over a USB cable to make the phone undetectable and fully functional.

Lost iPhones, such as the prototypes that famously manage to be left behind in bars and taxis, can also much more easily be raided for any sensitive personal data they might contain. Opportunities are also created for attackers to physically get data off of a locked iPhone with only a limited amount of physical access time; for example, raiding a phone that has been left unattended while charging or at an office desk while the owner is in a meeting. Attackers could also use this vulnerability window to plant malware to spy on the phone owner without their knowledge.

The iPhone exploit by itself does not appear to break the Secure Enclave architecture, which is used to encrypt data that is physically on the device. It merely allows the attacker to install and run whatever they want.

Benefits to jailbreaking?

Jailbreaking has been going on with Android phones since the OS was created, and many users see it as a positive. That is certainly the view of axi0mX, who tweeted that their iPhone exploit ” … makes iOS (devices) better for everyone … They will be safer.”

It’s true that there are some benefits for consumers who opt to jailbreak their phones. In the case of iOS devices, this creates the possibility to run custom firmware as well as older versions of the operating system if so desired. Users could also dual-boot into multiple operating systems. While the most recent version of iOS is generally the most secure and the safest, some users prefer the look and organization of older versions or want to use older 32-bit apps that were never updated to the 64-bit architecture. Once Apple stops signing older versions of iOS, it is virtually impossible to roll a device back to them without jailbreaking.

Accidental brickings will also be a thing of the past for these devices. Should they occur, a phone owner could simply use the new iPhone exploit to force the phone to perform a “device firmware update” (DFU) restore.

Fixing the iPhone exploit

If you own one of the impacted phones and the idea of jailbreaking holds no appeal for you, there is some bad news – the only real way to fix this permanent unpatchable bootROM exploit is for Apple to manufacture a replacement chip and then physically install it in the phone for you. This cannot be fixed with a software update. It seems very unlikely that the company would do this for outdated phone and tablet models.

The iPhone exploit will work on any device that has a processor chip in the range from the A5 to the A11. The first A5 device was the iPhone 4S. In addition to all of the iPhone models between that and the iPhone X, this appears to include all of the iPad models currently on the market including the seventh generation model (which still uses an A10 processor) that was just released days ago.

After the original iPhone X, which was released in late 2017, Apple switched to the A12 Bionic processor which does not appear to be vulnerable at this time. That means that the base iPhone X is vulnerable, but the iPhone XS and XR do not appear to be (nor is the iPhone 11).

Given their usual build quality, high-end specs at launch and relative ongoing security and compatibility, people often hold onto their iPhones for years before upgrading or even actively seek out older models at a discount price. It is estimated that hundreds of millions of people are still using an older model that is vulnerable to this particular iPhone exploit.

It’s unclear if the Apple Watch S-series processors are vulnerable. The second to fifth (most current) generations of Apple TV use A-series processors that are vulnerable.

The iPhone exploit does not affect models older than the 4S, but the original iPhone 4 has its own known security vulnerability and there are multiple known jailbreak techniques already in circulation for older devices.

What the iPhone jailbreak means for consumers

Sam Bakken, Senior Product Marketing Manager, Mobile App Security at OneSpan, had this to say about the new state of mobile device security:

“We’ve seen a rash of vulnerabilities discovered in Apple’s iOS this month, which I hope starts putting to rest discussions of which operating system is more secure. The answer is neither one! Checkm8 serves as the latest reminder that neither Android nor iOS will ever be 100% secure and neither Apple nor Google can or will immediately fix each and every security issue brought to their attention, leaving users and the apps they install exposed. Mobile app developers cannot depend solely on the security of the operating systems or manufacturers’ devices to secure their apps. Security features must be baked into the app development process from the start and developers must operate under the assumption that their apps will be installed on and launched on some number of insecure devices. Securing apps through technology such as device binding and secure communication channels and then also gaining visibility into jailbreak and root status and the app’s runtime environment can fortify a mobile app even in risky environments such as jailbroken phones so that the app can be intelligent about what it will and will not do in those situations.”

As-is, this new iPhone exploit means that iOS device users need to be more conscious than before about the physical security of their phones and tablets. Making sure it isn’t in ready position to be stolen (snatch-and-grabs on public transit are very popular among thieves), and being more careful about leaving it unattended with other people around.

Users of these models should also encrypt all sensitive data on the device to add an extra layer of security if it should be taken or accessed. As of now, this iOS exploit will not do much to help attackers break encryption. However, an attacker that has a window to implant malware may be able to capture logins or unencrypted information remotely without you being aware of it.