Checkm8 Exploit Opens Door to Unpatchable Jailbreak on iPhone 4S Through iPhone X

[robbietop]

Jailbreak 2019 Hackers: "HAhahahahaha! We did it! Checkmate!"
Apple at WWDC 2020: "We are releasing a brand new bootROM for MacOS/iOS/WatchOS/TVOS."

 

[Frantisekj]

And how it will be with icloud locked phones? If my get stolen will it be safe or anyone can reinstall it with this hack and bypass icloud lock?

 

[ebika]

I find this quite wrong and childishly.
You seem to forget or not know that once any phone connects to a couple of hundred $ stingray, it communicates with it fully decrypted, therefore a simple 300$ stingray used by police can gain access to all data in the phone, even passwords, lockscreen pass code etc
.... IOs is not that secure as you might think. Nothing is in fact. Just marketing.

lol, what are you talking about? That's not what stingray devices do. They're man-in-the-middle fake cell towers that capture transmitted keys, try to boost radio transmission power and request frequency for triangulation, and pretend secure protocols aren't working to hope for less-secure fallback transmission protocols. They don't reach in, decrypt your phone, and transmit your storage or active RAM contents, let alone things like the lockscreen passcode.

 

[vmachiel]

This is a bootrom exploit. It can only be exploited when the device is in DFU recovery mode and will not affect the security of devices being used normally.

This is really the best kind of jailbreak exploit because only the people who really want to go out of their way to jailbreak can use it. Regular users are safe; all it means is that people can do whatever they like with these devices they own now.

Not true. The iCloud activation lock can be bypassed. Devices can be stolen and restored as new now.

 

[mdnz]

Jailbreak 2019 Hackers: "HAhahahahaha! We did it! Checkmate!"
Apple at WWDC 2020: "We are releasing a brand new bootROM for MacOS/iOS/WatchOS/TVOS."

They already made a new boot ROM which doesn't contain the exploit but it's only for A12+ devices. All older devices are vulnerable and cannot be updated by Apple. So I'd say yes, the 2019 hackers do have a checkmate, even in 2020 and beyond. The only "fix" for us consumers is to buy a new device.

 

[spar13]

Apple should send him a nice hefty offer. These are the people you want on your team.

Apple wouldn't pay for this. It has already been patched in the newer chips, I agree people like this are the ones you want to hire but they already knew of the flaw or it wouldn't be patched in current chips.

 

[spar13]

And how it will be with icloud locked phones? If my get stolen will it be safe or anyone can reinstall it with this hack and bypass icloud lock?

They can bypass the lock however they can't remove the lock. As soon as the phone hits cellular or internet the lock would be detected. This does let people bypass the lock though and pull any information on the phone off though. There was already a way to pull information off a locked phone previously but this sounds like an easier method.

 

[Michvuee]

Very good news. This means we can dual boot different IOS version or dual boot IOS and Android. Anyways if he actually sold this exploit to the FBI/Government it would be in the 7-8 digits, but he released it for free; he would be set for life if he sold this exploit. Also people are gonna have a spending spree to buy all the iCloud locked iPhone below iPhone X. Would've been nice if iPhones had more RAM.

 

[panjandrum]

I’m sure people have their reasons. Themes, illegal downloads, and all sorts of little tweaks and customizations. But I agree there is little to no reason for majority of people.

Yeah, if this really works it will be brilliant for those of us who actually need functionality that Apple refuses to allow. For example, in my computer-toolkit is an old iPhone 5 with a battery-case that is jailbroken so I can have a real WiFi Analyzer.

Until Apple realizes that actual professionals use their products I will continue to welcome jailbreaks. Especially ones that appear to be as secure as this one.

It's sad. It isn't like Apple can't support both professional AND casual everyday users. That's exactly what they did for decades. It's only since the advent of iOS devices that they seem to believe that only casual users use their devices (slowly becoming a self-fulfilling prophecy).

 

[x-evil-x]

All the cool kids violate their warranty. Didn't you know?

That was never the case even when it was more popular. I had work performed even jail broken. Genius Bar brought it up also.

 

[triptolemus]

I find this quite wrong and childishly.
You seem to forget or not know that once any phone connects to a couple of hundred $ stingray, it communicates with it fully decrypted, therefore a simple 300$ stingray used by police can gain access to all data in the phone, even passwords, lockscreen pass code etc
.... IOs is not that secure as you might think. Nothing is in fact. Just marketing.

So ridiculous and so wrong. Just make stuff up as you go, eh? Ignoring how incorrect you are about gaining access to the phone via a Stingray for a moment, you should realize that you're not setting up a Stingray for anything less than the neighborhood of $150k.

Get your facts straight.

 

[I7guy]

So did Apple know about this and patch the vulnerability in the Xs?

 

[AppleFan1179]

I find this quite wrong and childishly.
You seem to forget or not know that once any phone connects to a couple of hundred $ stingray, it communicates with it fully decrypted, therefore a simple 300$ stingray used by police can gain access to all data in the phone, even passwords, lockscreen pass code etc
.... IOs is not that secure as you might think. Nothing is in fact. Just marketing.

Wow you have literally no idea what you are talking about

 

[mrkite77]

This will be handy for our IT department. They have a stack of old iPads which were never under device management, and are locked with ex-employee's pins. Now they can wipe them.

 

[Coffee_Time]

lol, what are you talking about? That's not what stingray devices do. They're man-in-the-middle fake cell towers that capture transmitted keys, try to boost radio transmission power and request frequency for triangulation, and pretend secure protocols aren't working to hope for less-secure fallback transmission protocols. They don't reach in, decrypt your phone, and transmit your storage or active RAM contents, let alone things like the lockscreen passcode.

You're missing the point. They don't need to decrypt anything as they already have acces with handshake encryption key from the device itself. It's like when you do TeamViewer. Dooh!
On top of that they get storage, keylogger and even root acces through your sim provider, which also has root acces and your device encryption key handshake. Research it.

 

[Coffee_Time]

I may have missed some quotes...

 

[nfl46]

OMG! This is huge! WOWWW!

 

[brigantti]

Cool that means iphones,ipads with a compatible chip with this exploit icloud lock can be bypassed easy after someone makes a tool with this exploit.good news

 

[ebika]

You're missing the point. They don't need to decrypt anything as they already have acces with handshake encryption key from the device itself. It's like when you do TeamViewer. Dooh!
On top of that they get storage, keylogger and even root acces through your sim provider, which also has root acces and your device encryption key handshake. Research it.

Most data from apps is probably going over HTTPS via TLS sent over the internet, which stringray devices aren't going to spoof decryption keys for... only the remote server has the decryption key. Stingray devices would be able to decrypt the traffic from iPhone cell radio to the cell station, but the data inside is still encrypted via TLS, unless the app is sending in the clear. The radio isn't going to be a route to installing keyloggers or storage read-and-transmit via connections to a cell tower unless something is seriously wrong with your phone, or you're going down the rabbit hole that Apple is complicit in allowing these back doors. Phones don't transmit their core data or rendered display without apps being the conduit. Are you suggesting the cell radio comes with rootkit software, or have injection vulnerabilities to rootkit via cell traffic? I mean, sure, someone could build that, but it would be a massive security hole.

 

[Eorlas]

All the cool kids violate their warranty. Didn't you know?

This place is bitterly condescending to jailbreakers for absolutely no discernibly acceptable reason except for an excuse to be rude.

Side note: for the un-educated, jailbreaking does not violate a warranty.

I haven't been jailbroken since the 3G, what's the big draw of a jailbreak now a days?

The ability to use one's device as they see fit, free of unnecessary restriction.

Example: I absolutely despise that the homebar must overlay iOS 100% of the time. Jailbreaking lets me get rid of something that should have faded away within the first five minutes of using my device.

 

[Coffee_Time]

Most data from apps is probably going over HTTPS via TLS sent over the internet, which stringray devices aren't going to spoof decryption keys for... only the remote server has the decryption key. Stingray devices would be able to decrypt the traffic from iPhone cell radio to the cell station, but the data inside is still encrypted via TLS, unless the app is sending in the clear. The radio isn't going to be a route to installing keyloggers or storage read-and-transmit via connections to a cell tower unless something is seriously wrong with your phone, or you're going down the rabbit hole that Apple is complicit in allowing these back doors. Phones don't transmit their core data or rendered display without apps being the conduit. Are you suggesting the cell radio comes with rootkit software, or have injection vulnerabilities to rootkit via cell traffic? I mean, sure, someone could build that, but it would be a massive security hole.

I'm suggesting every single sim out there has encryption handshake with the device and based on that handshake it has access to everything. Sensors, microphone, storage, apps, root etc. Imagine whatsapp which is encrypted. Let's say you're on T-Mobile. From T-Mobile back office they cannot decrypt your conversation, but they can read it from your device. Like they see through your eyes. So they're using your device. But remember they have root acces. Sim toolkit, carrier apps rings a bell? The can remote connect to your device and acces anything . Of course this is a feature required by government and only it have access, not even T-Mobile. But when a stingray gets between... It literally has handshake.

 

[Coffee_Time]

Your phone gives the encryption key to it via handshake for free. Why? Because the stingray is connected with the same encryption key to the tower and it tells your phone he is the tower.

 

[Coffee_Time]

You know what's private and better encrypted? Your brain and knowing things like this.
IMO there is no such thing as security on cell phones or OS. Yes, security experts know how to customize theyr hardware and software to be impenetrable, but I think that will be on government level.

 

[dantroline]

I’m sure people have their reasons. Themes, illegal downloads, and all sorts of little tweaks and customizations. But I agree there is little to no reason for majority of people.

If I'm not mistaken, it means you don't want to let your phone out of your sight if you do anything of value on it, such as for corporate secrets, or state secrets, or anything which makes you a high value target. A person who can "borrow" your phone for a few hours can theoretically own it.

They don't need access to your passcode, you'll provide it for them when you use it next.

 

[ConfusedChris]

So did Apple know about this and patch the vulnerability in the Xs?

Yes, did they find it and fix it, or fix it ‘accidentally’. No way of knowing I suppose.

So if I lose my iPhone I will be sure to erase it remotely quickly.

I am still waiting for a fix for the XKCD ‘hit him with this wrench until he tells you his password’ bug.