Fair enough - I misworded that. It should have been vulnerability instead of exploit.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Checkm8 Exploit Opens Door to Unpatchable Jailbreak on iPhone 4S Through iPhone X
- Thread starter MacRumors
- Start date
- Sort by reaction score
Fair enough - I misworded that. It should have been vulnerability instead of exploit.
Is the attempt lockout mechanisms enforced through hardware or software?(Can modifying/exploiting the bootrom change the current limits, hence making brute forcing on the device itself viable?)
This is some big news on the Jailbreak scene! I used to use L1merain and other JB exploits quite often before, but the iOS has come a very long way since. I wonder what the draw is for most people who still JB.
Because they updated the code in the boot ROM. In theory older generation devices which are manufactured right at this moment can be patched with new code. However, devices which are already in the wild can never be patched because code in the ROM cannot be modified.
Other than Dark Mode, which was officially implemented in iOS 13 anyways, there aren't many reasons to jailbreak now, in my own personal opinion. I don't care about customization.
I am jailbroken on 12.4, and all I have is iCleaner (to remove all the temp files that collect in the background) and a volume HUD like iOS 13's. That's it...
Now I can finally eBay all those iPhone 7's with Activation Lock I stole back in the day!!
You can actually downgrade to 12.4.1 at the moment if you don’t want to be on 13!
Sure, to brute force my pass code you only need all the computing power in the world for a trillion years, so have at it...oh for people with a 4 digit passcode? They might have issues.
If it's not in the whitepaper, I can't do anything more than speculate. It's clear that an OS-level exploit alone isn't enough, since the Secure Enclave controls the limits. The Secure Enclave boots separately from the main CPU, with its own boot ROM. But the OS it boots is included in the ipsw Apple ships, and allows Apple to tweak the limiter, as they have done in the past.
However, what I don't know is if this exploit would also work on the boot ROM for the Enclave. If it does, then you can own the Enclave too, and bypass the lockout mechanism by convincing the Enclave to load an unsigned OS.
The fact that Cellebrite convinced the FBI that it could bypass the pin lockout makes me a little concerned that they might have a boot ROM exploit for the Enclave.
But again, generally you should assume that if a well-funded entity has physical control of your phone, that they will eventually gain software control over it as well.
EDIT: The author suggests this exploit can let you decrypt the keybags that hold the keys for decrypting the NAND. Wow, that's bad. That makes me think this exploit may even be the one that Cellebrite found a while back. I would consider this a total security bypass and that anyone with the ability to DFU your phone can dump the data on it. That said, because of things like GreyKey, that should have been a given already. This just makes it a little clearer what exploits were probably at play.
You can't brute force dumped NAND from an iOS device with just the passcode. You can only brute force the passcode with the SOC. If you want to brute force dumped NAND and don't have access to the SOC, you are looking at cracking AES 256, even if you knew the passcode.
Last edited:
You have to run the brute force on the device though(more specifically the SE)..
"The Secure Enclave keeps its own counter of incorrect passcode attempts and gets slower and slower at responding with each failed attempt, all the way up to 1 hour between requests."
I used to use the multi-tasker back in the day and to install an app or two. Like you rightly said, Apple has continually adopted all the features that people Jail Broke for.
What does this mean exactly?
One can pull your encrypted phone content and brute force it off-site? Without going through the Secure Enclave?
They mention custom ROM meaning it may be possible to run another operating system other than iOS, i.e. Linux. That would be the biggest exploit in history! That’s it for Apple
That it’s probably the exploit that has been getting used by government agencies to get access to the contents of iPhones the last couple years. Or related to it.
So this is bad, and it does break security like folks have been claiming on this thread. Enough to steal your data if they have physical access to your device for a length of time.
But again, it pays to operate under the assumption that this sort of attack was possible. Because we got some red flags in the San Bernardino case that it was.
So if someone has access to your device(eg. stole it)
They can pull your encrypted phone content and brute force it off-site? Without running it through the Secure Enclave with it's limits?
Well at least what they can pull out will still be encrypted with AES 256.. right?..
It depends on which keybags are exposed with this technique. The keybags hold the derived, wrapped keys which are used in the actual encryption. At least on paper, it shouldn't be possible to unwrap the user keybag without the passcode-derived AES key. And those unwrapped keys shouldn't even be accessible to the CPU directly, but only the Enclave.
If this somehow manages to bypass that and expose all the user keys, that's really bad. In that case, they don't even need to brute-force anything, they just decrypt NAND at their leisure. If it's the keys the OS uses to read the boot partition, and the device-side pieces of the keys used for iTunes sync, then it's possible that the extent is more limited.
But again. If your device is lost or stolen, it's safer to assume it's compromised. Period. I'd assume this exposes the encryption keys to NAND and find out it doesn't, than assume it doesn't, but then find out it does.
Good to know. Staying on 12 would present other problems, but it is at least worth considering. Thanks!
