In a significant development for the iOS ecosystem, a hacker and cybersecurity researcher has publicly released what is being described as a “permanent unpatchable bootrom exploit.” This advancement, known as Checkm8, is designed to jailbreak a broad spectrum of iOS devices, specifically those ranging from the iPhone 4s, equipped with the A5 chip, to the iPhone 8 and iPhone X, which utilize the A11 chip.
The Checkm8 exploit capitalizes on inherent security vulnerabilities within Apple’s Bootrom (SecureROM), the initial code executed when an iPhone boots up. When successfully exploited, this vulnerability allows for extensive system-level access. Axi0mX, the researcher behind this release, characterized it as “EPIC JAILBREAK: Introducing checkm8, a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices,” in a recent Twitter announcement.
Noteworthy is the timing of this release, which followed Apple’s own emergency patch a month prior that addressed a critical jailbreak vulnerability affecting devices including the iPhone XS, XS Max, XR, and the 2019 iPad Mini and Air, running iOS 12.4 and earlier. Because bootrom vulnerabilities are hardwired issues, they cannot be mitigated through software updates alone, which gives this exploit a long-lasting nature.
It is crucial to clarify that while the Checkm8 exploit itself does not constitute a complete jailbreak solution—such as one that includes Cydia—it does provide the necessary groundwork for developers and researchers within the jailbreak community to craft a fully functional jailbreak tool.
The capabilities afforded by the Checkm8 exploit include various advanced functions. Users can jailbreak certain older iPhone models, activate Pwned DFU Mode through multiple specific exploits, and even manipulate SecureROM and NOR on compatible devices. Axi0mX asserts that the release is intended for the broader benefit of the iOS jailbreak and security research communities, allowing extensive analysis and further developments.
Importantly, Axi0mX discovered this bootrom vulnerability while scrutinizing a security patch that Apple issued in 2018 to address a previously identified critical use-after-free vulnerability in iBoot USB code. He also emphasizes that the Checkm8 exploit cannot be executed remotely; it necessitates physical access to the device via USB.
This exploit is effective specifically on devices employing Apple’s A5 through A11 chipsets and does not extend to newer architectures like the A12 and A13. Cybersecurity professionals, particularly in businesses leveraging iOS devices, should be aware of the implications this could have on device security and the ease of access it affords potential malicious actors.
As the release of the Checkm8 exploit marks a major moment in the iOS jailbreak community, it illuminates the ongoing cat-and-mouse game between system developers and security researchers. For organizations relying on iOS technology, the necessity for robust security measures becomes increasingly evident as vulnerabilities continue to be revealed and exploited. Navigating this landscape will be critical for mitigating the risks associated with such developments.
In understanding the potential threats associated with this exploit, analysts may reference the MITRE ATT&CK framework. Tactics like initial access and privilege escalation could be pertinent in evaluating the risks posed by not just the Checkm8 exploit but the broader implications of any derived tools that may emerge. The ongoing evolution of the cybersecurity landscape requires vigilance and proactive measures to safeguard sensitive enterprise data.