Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Checkm8 Exploit Opens Door to Unpatchable Jailbreak on iPhone 4S Through iPhone X

uhaas

macrumors 6502
Aug 31, 2012
270
58
Boston, MA
No patch to iOS could prevent a bootROM exploit from working. This is a flaw in the boot code built into the CPU via lithography. So a boot loader can be loaded, which then doesn't bother with security keys. Thus any modification to iOS can be made and booted. Good times.
Does anyone actually use ROM anymore? Most ROMs these days are still flashable firmware but called ROM because of tradition. BootROM could just be a flashable boot loader. I don’t know in Apple’s case, but that is true for other types of computers.
 
Comment

uhaas

macrumors 6502
Aug 31, 2012
270
58
Boston, MA
I find this quite wrong and childishly.
You seem to forget or not know that once any phone connects to a couple of hundred $ stingray, it communicates with it fully decrypted, therefore a simple 300$ stingray used by police can gain access to all data in the phone, even passwords, lockscreen pass code etc
.... IOs is not that secure as you might think. Nothing is in fact. Just marketing.
A stingray spoofs a cell network, it doesn’t decrypt a phone.
 
  • Like
Reactions: Marekul
Comment

Taiyed123

macrumors newbie
Apr 27, 2015
6
14
Most of the market for jailbreaking would dry up if Apple would permit even a fraction of the customizability that Android does. First and foremost, as phones have gotten much bigger, why can I still not place the app icons lower on the screen where I want them?
 
  • Love
Reactions: SomeSoftwareGuy
Comment

uhaas

macrumors 6502
Aug 31, 2012
270
58
Boston, MA
I wonder if this has anything to do with the Secure Enclave keys being stolen a few years back and why it only fits certain models up to X?
 
Comment

uhaas

macrumors 6502
Aug 31, 2012
270
58
Boston, MA
Your phone gives the encryption key to it via handshake for free. Why? Because the stingray is connected with the same encryption key to the tower and it tells your phone he is the tower.
Thats not how it works. Every encrypted server connection has its own key pair. It doesn‘t use one master key from a cell provider.

Additionally, MITM attacks are much hard these days with TLS 1.3 and certificate pinning. Decrypting traffic is a dying thing, for good or for bad (malware, worms, command and control).
 
Comment

ConfusedChris

macrumors 6502
Jul 29, 2013
268
183
U.K.
Could this exploit be detected by a future OS causing it to refuse to run apps?
(For example my banking app can detect a jailbroken device and refuse to run.)
 
Comment

BuddyTronic

macrumors 65816
Jul 11, 2008
1,264
887
Or maybe Apple should review their code a bit more often since apparently it's an 8 year old exploit (dates back to the 4S). I doubt it's good marketing that you need to upgrade to a new $1000 phone every year because the previous one has security leaks.

Well, I hear what you are saying. But security is always like that, where there is a will, there is a way. My point was mainly patting myself on the back and justifying upgrading every year. I suppose it can go both ways too - sometimes it could be the brand new device that has a flaw or security exploit - who knows really.

Am I wrong in believing Apple has the most secure device with the iPhone? Because I do think that. At least I think that the latest iPhones are likely the most secure. Or maybe nothing is completely secure.
 
Comment

BuddyTronic

macrumors 65816
Jul 11, 2008
1,264
887
I find this quite wrong and childishly.
You seem to forget or not know that once any phone connects to a couple of hundred $ stingray, it communicates with it fully decrypted, therefore a simple 300$ stingray used by police can gain access to all data in the phone, even passwords, lockscreen pass code etc
.... IOs is not that secure as you might think. Nothing is in fact. Just marketing.


Well, I'd like to see a demo from Defcon or some hacker fiesta where the low cost stingray device cracks a lost iPhone 11 running the latest iOS. I'd bet against the Stingray. Are you thinking it is trivial to do? I realize that sometimes exploits can do just that, but these things get patched up. If you have a random lost latest model iPhone running the latest iOS, I'd bet that there is nothing that can crack it at the moment.

If you have a specific iPhone 6 running a specific iOS, then maybe a particular stingray can do something, but to me that's not such a big deal. Apple is good enough with security that they apparently couldn't even get into that terrorists iPhone, remember? That was then, and this is now, but Apple has a great record for security in a practical sense at least.
 
Comment

Metalpython

macrumors newbie
Jun 23, 2017
16
8
They will still need your passcode to decrypt the key for the data partition on the phone. They won't have access to anything without your passcode. Apple has thought this stuff through.
But we can just easily brute force any 4 or 6 number passcode as we don't have any attempt restrictions
 
Comment

manu chao

macrumors 604
Jul 30, 2003
6,880
2,781
It has already been patched in the newer chips, I agree people like this are the ones you want to hire but they already knew of the flaw or it wouldn't be patched in current chips.
Probably, but they might have improved the boot ROM for other reasons and closed that security hole without having been aware of this precise exploitation path.
 
Comment

realtuner

Suspended
Mar 8, 2019
1,714
5,053
Canada
MR should update their article as more details have come out via an interview done by Ars with the developer who discovered this.
  • We already knew that you need physical access to the device to perform this. It can’t be done remotely.
  • It lacks persistence. This is a biggie. Once the device is rebooted it returns to its original state. Nobody is going to sneak your device away from you, jailbreak it, and hand you back a permanently jail broken device. This is what’s known as a “tethered” jailbreak.
  • To expand further, if you used this exploit to install malware on the device, that malware only functions until a reboot. Once the phone reboots you’re back with a secure version of iOS just as when you got your iPhone from Apple. There’s no persistence for any software you might try to install on the device.
  • It doesn’t give you access to the Secure Enclave or your PIN.
  • It doesn’t give you access to data stored in the phone.

To sum up, this poses no real security risk to users. It’s really more of a research tool people might use to try and find other possible exploits (or test out their exploits).
 
Comment

ebika

macrumors 6502a
Nov 17, 2008
536
174
Chicago
I'm suggesting every single sim out there has encryption handshake with the device and based on that handshake it has access to everything. Sensors, microphone, storage, apps, root etc. Imagine whatsapp which is encrypted. Let's say you're on T-Mobile. From T-Mobile back office they cannot decrypt your conversation, but they can read it from your device. Like they see through your eyes. So they're using your device. But remember they have root acces. Sim toolkit, carrier apps rings a bell? The can remote connect to your device and acces anything . Of course this is a feature required by government and only it have access, not even T-Mobile. But when a stingray gets between... It literally has handshake.
The sim is part of a key to the carrier network used by your cell radio. The handshake is between the radio chip and network. It’s not a key to the phone. There are no carrier apps on iPhones, only the software from Apple, and the carrier profiles (just settings, no executable code). Only Apple could choose to allow carriers to invoke a screen sharing server running on the phone by actively exposing that port and sharing the details with the carriers. However, that’s the opposite of every statement coming from Apple or state agencies that want that. On jailbroken phones, we would have seen that process and open port. The cell radio itself isn’t wired into devices to pull video from the graphics driver, sensors, etc., just data sent to it or requests to open sockets.
 
Comment

FeliApple

macrumors 65816
Apr 8, 2015
1,373
511
Wow so I can downgrade my 9.7 iPad Pro back to iOS 9 after Apple forced me to update it? Can’t wait.
 
Comment

I7guy

macrumors Penryn
Nov 30, 2013
24,222
12,398
Gotta be in it to win it
when you rush things, this is what happens. iOS isn't released when it is done, it is released when the iPhone is released.
What does this have to do with topic? Boot rom code is likely finalized way in advance. And there is never a bug-free release of any software with not everyone agreeing ios 13 is glitchy.
 
Comment

glitch44

macrumors 65816
Feb 28, 2006
1,095
114
If it's not in the whitepaper, I can't do anything more than speculate.

Krevnik, you seem really knowledgeable about this stuff. If they fixed the flaw in the A12 & A13 bionic chips, does that mean that new A11 bionic phones coming off the lines now are likely already patched?

Because I ordered a new iPhone 8 on Friday and I'd prefer to not have it have the flaw in it. Not sure if I should just upgrade to an iPhone 11 rather than risk it.
 
Comment

Krevnik

macrumors 68040
Sep 8, 2003
3,601
852
Krevnik, you seem really knowledgeable about this stuff. If they fixed the flaw in the A12 & A13 bionic chips, does that mean that new A11 bionic phones coming off the lines now are likely already patched?

Because I ordered a new iPhone 8 on Friday and I'd prefer to not have it have the flaw in it. Not sure if I should just upgrade to an iPhone 11 rather than risk it.

No idea. They could, and they should. But someone would need to check new devices. It also depends on how much stock exists in the channel. This is more a question for Apple supply chain folks than it is an engineer who reads up on security to be aware of what’s going on in that part of the industry.

But the good news is that Ars interviewed the author and got more accurate details on the exploit: https://arstechnica.com/information...-idevice-jailbreak-exploit-is-a-game-changer/

The key bit is that it doesn’t bypass protections offered by the Secure Enclave or Touch ID.

Since the passcode can only be converted into an AES key by the Secure Enclave (it uses a key burned into the Enclave itself), this means if you use a passcode, that the protections of any data that requires your passcode shouldn’t be violated by *this* exploit.

But there’s some data that can be accessed without your passcode (but Apple has been restricting how much over time), and I’d assume that data is accessible with this exploit.
 
Comment

fmcshan

Editor
Apr 8, 2019
222
744
I don't really understand why people would still jailbreak iPhones today. It seems enticing years ago but there really isn't much you get out of it nowadays. Also, doesn't jailbreaking an iPhone void Apple's one year warranty?
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.