Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Checkm8 Exploit Opens Door to Unpatchable Jailbreak on iPhone 4S Through iPhone X
- Thread starter MacRumors
- Start date
- Sort by reaction score
Does anyone actually use ROM anymore? Most ROMs these days are still flashable firmware but called ROM because of tradition. BootROM could just be a flashable boot loader. I don’t know in Apple’s case, but that is true for other types of computers.
This bug is not likely to be squished.
A stingray spoofs a cell network, it doesn’t decrypt a phone.
Most of the market for jailbreaking would dry up if Apple would permit even a fraction of the customizability that Android does. First and foremost, as phones have gotten much bigger, why can I still not place the app icons lower on the screen where I want them?
I wonder if this has anything to do with the Secure Enclave keys being stolen a few years back and why it only fits certain models up to X?
Thats not how it works. Every encrypted server connection has its own key pair. It doesn‘t use one master key from a cell provider.
Additionally, MITM attacks are much hard these days with TLS 1.3 and certificate pinning. Decrypting traffic is a dying thing, for good or for bad (malware, worms, command and control).
Could this exploit be detected by a future OS causing it to refuse to run apps?
(For example my banking app can detect a jailbroken device and refuse to run.)
(For example my banking app can detect a jailbroken device and refuse to run.)
Well, I hear what you are saying. But security is always like that, where there is a will, there is a way. My point was mainly patting myself on the back and justifying upgrading every year. I suppose it can go both ways too - sometimes it could be the brand new device that has a flaw or security exploit - who knows really.
Am I wrong in believing Apple has the most secure device with the iPhone? Because I do think that. At least I think that the latest iPhones are likely the most secure. Or maybe nothing is completely secure.
Well, I'd like to see a demo from Defcon or some hacker fiesta where the low cost stingray device cracks a lost iPhone 11 running the latest iOS. I'd bet against the Stingray. Are you thinking it is trivial to do? I realize that sometimes exploits can do just that, but these things get patched up. If you have a random lost latest model iPhone running the latest iOS, I'd bet that there is nothing that can crack it at the moment.
If you have a specific iPhone 6 running a specific iOS, then maybe a particular stingray can do something, but to me that's not such a big deal. Apple is good enough with security that they apparently couldn't even get into that terrorists iPhone, remember? That was then, and this is now, but Apple has a great record for security in a practical sense at least.
But we can just easily brute force any 4 or 6 number passcode as we don't have any attempt restrictions
Probably, but they might have improved the boot ROM for other reasons and closed that security hole without having been aware of this precise exploitation path.
nice, I could get my 1st gen iPad mini back on iOS 6
i would like iOS 10.3.3 back on my mini 2.
MR should update their article as more details have come out via an interview done by Ars with the developer who discovered this.
To sum up, this poses no real security risk to users. It’s really more of a research tool people might use to try and find other possible exploits (or test out their exploits).
- We already knew that you need physical access to the device to perform this. It can’t be done remotely.
- It lacks persistence. This is a biggie. Once the device is rebooted it returns to its original state. Nobody is going to sneak your device away from you, jailbreak it, and hand you back a permanently jail broken device. This is what’s known as a “tethered” jailbreak.
- To expand further, if you used this exploit to install malware on the device, that malware only functions until a reboot. Once the phone reboots you’re back with a secure version of iOS just as when you got your iPhone from Apple. There’s no persistence for any software you might try to install on the device.
- It doesn’t give you access to the Secure Enclave or your PIN.
- It doesn’t give you access to data stored in the phone.
To sum up, this poses no real security risk to users. It’s really more of a research tool people might use to try and find other possible exploits (or test out their exploits).
The sim is part of a key to the carrier network used by your cell radio. The handshake is between the radio chip and network. It’s not a key to the phone. There are no carrier apps on iPhones, only the software from Apple, and the carrier profiles (just settings, no executable code). Only Apple could choose to allow carriers to invoke a screen sharing server running on the phone by actively exposing that port and sharing the details with the carriers. However, that’s the opposite of every statement coming from Apple or state agencies that want that. On jailbroken phones, we would have seen that process and open port. The cell radio itself isn’t wired into devices to pull video from the graphics driver, sensors, etc., just data sent to it or requests to open sockets.
when you rush things, this is what happens. iOS isn't released when it is done, it is released when the iPhone is released.
What does this have to do with topic? Boot rom code is likely finalized way in advance. And there is never a bug-free release of any software with not everyone agreeing ios 13 is glitchy.
Krevnik, you seem really knowledgeable about this stuff. If they fixed the flaw in the A12 & A13 bionic chips, does that mean that new A11 bionic phones coming off the lines now are likely already patched?
Because I ordered a new iPhone 8 on Friday and I'd prefer to not have it have the flaw in it. Not sure if I should just upgrade to an iPhone 11 rather than risk it.
No idea. They could, and they should. But someone would need to check new devices. It also depends on how much stock exists in the channel. This is more a question for Apple supply chain folks than it is an engineer who reads up on security to be aware of what’s going on in that part of the industry.
But the good news is that Ars interviewed the author and got more accurate details on the exploit: https://arstechnica.com/information...-idevice-jailbreak-exploit-is-a-game-changer/
The key bit is that it doesn’t bypass protections offered by the Secure Enclave or Touch ID.
Since the passcode can only be converted into an AES key by the Secure Enclave (it uses a key burned into the Enclave itself), this means if you use a passcode, that the protections of any data that requires your passcode shouldn’t be violated by *this* exploit.
But there’s some data that can be accessed without your passcode (but Apple has been restricting how much over time), and I’d assume that data is accessible with this exploit.
