
Developer of Checkm8 explains why iDevice jailbreak exploit is a game changer - headalgorithm
https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/
======
gumby
The list of limitations of the jailbreak is itself interesting as it shows the
benefits of defense at depth: even if you have this exploit you need physical
access, Secure Enclave is still inaccessible etc.

Compare to the "firewall" approach which is crunchy on the outside but nice
and soft on the inside. Snowden showed the NSA intercepting unencrypted
internal comms between google's and yahoo's respective datacenters. And our
IoT devices are often exploited vectors.

Interesting the Apple wouldn't even consider their own _device boundary_
adequate. Compare to others who (used to? Still do?) keep, say, fingerprint
data in the filesystem. Some people say code structure reflects organizational
structure; I wonder if apple's own corporate structure (with internal inter-
project secrecy, which I consider insane) lead in part to this approach: "I
can't trust those other organizations writing system code to use the security
features I put in so I'll consider them a kind of adversary too"

~~~
neuland
Just curious, why do you think that inter-project secrecy within a company is
a bad idea?

~~~
gumby
TO be clear I consider Apples _level_ of inter-group secrecy insane. When
Apple switched from PPC to Intel I had friends who worked on apple's dev tools
(like gdb) who learned about the switch the same day I did. That's over the
top.

Apple doesn't have divisions; it would be unremarkable that GE's jet engine
business didn't know what GE's medical MRI division was up too. But Apple has
a small number of products that essentially share a backbone. Yet features are
poorly integrated; Mac photos is ahead if iOS's in some ways and behind in
others suggesting less shared code than would be more efficient, less buggy,
and less confusing the users. The Mac has a whole en ("ink") infrastructure
which is more powerful than what's on the iPod despite the iPod having much
more common pen support. And let's not get to security architecture...

At the other extreme Google has (mostly) a monorepo. They have their own
problems but act to improve connection between the company. Cisco used to and
probably still does have a number of common architectural structures across
its product line. Etc.

~~~
hrktb
It feels weird having Google on the “improve connection between the company”
side when they are the poster child of parallel implementations and internal
competing products and standards (at least as seen from the outside).

It is just a warped perception ?

~~~
gumby
I don't think so. I just cited their monorepo as an approach close to opposite
polar extreme.

In reality they don't actually have a _single_ , company-wide repo, and they
also have some groups that have isolation almost as extreme as Apple's.

Any large company will have these communication problems I cited; the part I
find weird is that Apple not only takes no steps to address them but takes
steps that as side effects exacerbate the issue. Clearly it doesn't bother
them and they do ship good products so...

------
Ecco
I’m wondering about the economics of this release. I don’t know if Apple has
any bug bounty program and whether it would apply here, but I’m pretty sure
_someone_ would have paid a lot of money for this.

Hence my question: why make it public? What’s the backstory?

~~~
bonestamp2
> What’s the backstory?

From the person/hacker/security researcher (@axi0mX) who discovered it:

During iOS 12 betas in summer 2018, Apple patched a critical use-after-free
vulnerability in iBoot USB code. This vulnerability can only be triggered over
USB and requires physical access. It cannot be exploited remotely. I am sure
many researchers have seen that patch. That's how I discovered it. It is
likely at least a couple other researchers were able to exploit this
vulnerability after discovering the patch. The patch is easy to find, but the
vulnerability is not trivial to exploit on most devices.

> why make it public?

A bootrom exploit for older devices makes iOS better for everyone.
Jailbreakers and tweak developers will be able to jailbreak their phones on
latest version, and they will not need to stay on older iOS versions waiting
for a jailbreak. They will be safer. It will also be better for security
researchers interested in Apple's Bug Bounty. They will not need to keep
vulnerabilities on hand so that they have access they need for their research.
More vulnerabilities might get reported to Apple right away.

Source:
[https://mobile.twitter.com/axi0mX/status/1177542201670168576...](https://mobile.twitter.com/axi0mX/status/1177542201670168576?s=20)

I wonder if this is this vulnerability that a private company was exploiting
for tools they provided to various law enforcement agencies?

~~~
strstr
Wait, why does this make iOS better? This breaks the security guarantees I
expected from the phone.

~~~
arkadiyt
iOS is such a walled garden that security researchers have a very difficult
time gaining low level access on the phone. This has incentivized researchers
to keep vulnerabilities they find for themselves rather than disclose them to
Apple, so that they can use the vulnerabilities to gain the low level access
needed for additional exploration. The Checkm8 author posits that by providing
people this access via his exploit, researchers will submit their known
vulnerabilities to Apple and make iOS safer.

~~~
erichurkman
Coming next year: pre-rooted devices specifically for security research,
though likely with well established groups.
[https://thenextweb.com/apple/2019/08/08/apple-announces-
deve...](https://thenextweb.com/apple/2019/08/08/apple-announces-developer-
iphones-with-root-access-for-security-research/)

~~~
vuln
Surely you mean nation state actors.

~~~
Thorrez
Why do you believe that? Apple made quite a lot of news by refusing to unlock
the iPhone 5C from the San Bernardino shooting. Helping nation state actors
find vulnerabilities would be contrary to their previous actions.

~~~
sambe
Not really. Helping nation state (any) actors gain access to user data would
be contrary to their previous actions. Helping experts research
vulnerabilities is a calculated risk that the good guys will reveal bugs at a
similar rate or faster than the bad guys, whilst also disincentivising the
hoarding.

~~~
Thorrez
I don't understand. vuln seemed to be suggesting Apple would give pre-
jailbroken devices to governments to find vulnerabilities with instead of
giving them to established white hat researchers.

I don't see how that would help good guys reveal bugs.

------
jpxw
I’ve heard some people taking about using a raspberry pi zero or some other
microcomputer to apply the exploit on boot, which sounds quite interesting.

As someone who used to jailbreak back in the day, this news was really
exciting. However looking at it in a mature way than I did back then, it’s
also slightly worrying that a whole class of iOS devices have a severe and
unpatchable security flaw.

~~~
StavrosK
Why is that? I've long been against Apple's stance of not allowing me access
to the hardware I own, and this exploit seems the best of both worlds: If you
want to make sure you're secure, just reboot the phone.

~~~
mentat
If you can access using this so can others when you cross borders, are stopped
by police, have spying spouse, etc. Those are real and sometimes fatal threat
models.

~~~
fullonrager
If law enforcement did take your device, it would be useless if you have a
passcode. Your data will still be encrypted.

~~~
gruez
depends on whether exploiting the bootrom allows you bypass the anti-hammering
mechanism, or the "wipe data after 10 failed attempts" mechanism. A 6 digit
passcode by itself is very easy to crack.

~~~
morpheuskafka
IIRC from the San Bernardino case, that was the case on the shooter's phone (a
5S I think), but since then it has been built in to the "Secure Enclave" chip
which is not affected by the vulnerability. But you could flash a fake iOS
that logged the user's code and/or directly exfiltrated the data--the user
would have no idea that it was not the stock iOS they were giving their code
to. It would leave them which a bricked device the next time they rebooted,
which could raise suspicions.

~~~
earenndil
It was a 5c; 5s and later had the SEP.

You don't 'flash' a fake ios; you can use the bootrom exploit to put your
modified version of ios into memory, and once you reboot you would get back
straight stock ios. They could even make it reboot as soon as the password was
harvested, leaving behind no trace. This is _scary stuff_. You can keep
yourself safe by rebooting as soon as you get your phone back from border
patrol, but many people would not know to do that.

------
pweezy
The article makes repeated mentions of the lack of persistence (rebooting the
phone removes the exploit), suggesting this makes it very little of a security
threat.

However, most people reboot their phone very rarely: the occasional software
update a couple times a year; if the battery runs out (which people usually go
to pains to avoid); or for some people, to try to fix a misbehaving phone.

The exploit does require physical access to the phone for a few minutes. But
in situations where that can happen, and the owner doesn't have the suspicion
or knowledge to reboot, I think an exploit could easily run for one or several
months.

Paired with enough clever software modifications made possible by the
jailbreak (like a lock screen that collects passcode input), a malicious
instance of this could do plenty of damage.

~~~
GeekyBear
If your device tells you that you are required to enter your passcode (instead
of having biometric authentication available) at a time when you have not just
rebooted the device yourself, that would be your clue that something unusual
is going on.

At which time you simply need to reboot the device yourself to clear anything
made possible by this particular boot ROM bug.

~~~
mantap
iOS requires users to enter their passcode every week so they don't forget it.

------
shasheene
This is great news. After a decade of stagnation [1], an exploit that in
theory allows Linux (and Android) to be ported to iPhone, iPads, Apple
Watches, and I believe, Apple TV.

[1]
[https://en.wikipedia.org/wiki/OpeniBoot](https://en.wikipedia.org/wiki/OpeniBoot)

~~~
rwmj
Why wouldn't you just buy a rootable Android device in the first place?
Cheaper, better phones and far less hassle to install your own OS on.

~~~
oeo82vc
How are you qualifying better?

I had three Nexus Android phones go sideways on me in their first year, over a
span of 4 years.

I have had two iPhones since 2014, and only because I dropped the first one.

If I have to spend $300-$400 on replacements every couple years, I’ll go with
$800 every 4-5

~~~
bufferoverflow
The last Nexus phone was made in 2015, and they were known for being bad
(bootloop). There are tons of really solid Android phones that work for years.
Even the cheap chinese ones from unknown brands are solid these days. I also
replace them only because I broke the screen.

With Android you have a choice of the specs - bigger battery, better camera,
tough build, fast charging. With the iPhone you get an average meh for not so
average price.

~~~
MiroF
Eh - anecdotal but my pixel just turned off and never turned on again about a
year and a half into use (without water damage).

I still have my working iPod touch from like 2011.

~~~
Osiris
Anecdotal but my MyTouch 3G (2009) and LG G2 (2013) still work just fine. Both
are rooted with custom ROMs.

------
ryanmarsh
I'm not really into the jail breaking / free software / right to repair side
of this issue. I'm more interested in jailbreaking iOS devices because I
believe they are incredible alternative to Raspberry Pi. If you consider how
cheaply you can find a used iPhone 4S and what it's capable of, vs. a
Raspberry Pi (as much as I love them) the engineering of the iPhone SOC really
becomes stark in comparison. I'd rather be writing Swift code and loading it
onto an iPhone.

I believe an old iPhone could potentially make for a great DIY drone
mainboard/controller.

~~~
eddieh
I'd love to run Linux or NetBSD on the 3rd Gen Apple TV. I don't know if this
would allow that. Last time I looked, the consensus was a hard no. There's
also going to be tons of AirPort base stations that should be re-purposed, but
as far as I know nobody has even bothered to find a jail break for AirPort
devices. It would be nice just to be able to SSH into an AP.

~~~
notaplumber
This is already possible. SSH can be enabled on the AirPort. Indeed, they run
a build of NetBSD 6.0.

[https://jcs.org/2018/06/12/airport_ssh](https://jcs.org/2018/06/12/airport_ssh)

~~~
eddieh
Oh nice! I'm surprised I missed this.

------
herf
So somebody could make a battery case that also jailbreaks your phone (if you
trigger DFU mode)?

~~~
fullonrager
Yes, I have also seen discussion of dongles being made to jailbreak your
iPhone. The Nintendo Switch has a bootrom exploit and a dongle to exploit it
is available.

------
orev
While this is great for the concept of jailbreaking, in practice I think it
will be mostly academic. The devices this supports are already old, which
doesn’t give much excitement to the process. The ecosystem of libraries, apps,
stores, etc. around jailbreaking is in a dismal state, if it really even
exists anymore.

I really don’t expect a thriving marketplace to spring up again like we had in
the old days.

I do think it will be very useful for people doing security research, as it
will allow them to access the full running images of supported devices.

EDIT: Since people seem to be wildly missing my point, I clearly need to spell
it out: The community and the ecosystem is what made jailbreaking great, and
while this very cool work done, this isn't going to usher in a new golden age
of jailbreaking because the community and ecosystem isn't there.

~~~
MiroF
Calling 4S through X “old” is disingenuous. Your comment made me reread the
article because I thought I had misunderstood.

~~~
orev
The "X" is two years old. That doesn't mean it's useless, but it does mean
that the news doesn't carry the same weight as if it was the iPhone 11 Pro
that was hacked.

~~~
MiroF
The vast majority of iPhones in circulation are the X or below.

So, stated otherwise: this carries the same weight as saying about 90%
(anecdotal estimate) of iPhones in circulation are jailbreakable

------
rwmj
It seems if I read the article correctly that you can't use this to capture
the PIN and further unlock the data, but I don't understand how Apple can make
the phone secure against that (that is assuming I have understood the
article).

~~~
ethbro
Isolated co-processors and memory.

~~~
oh_sigh
If the user secret key like a pin is going through iOS, to the secure enclave,
you can still run a hacked iOS which reports the stolen pin back to some
server.

~~~
rficcaglia
Typically the os would only have access to the encrypted pin, then use special
secure enclave instructions to compute inside the enclave (basically special
encrypted memory inside the processor). Ie the plaintext pin would never leave
the enclave, even when the os kernel is compromised

If you had the chip in a lab you could do sidechannel physical attacks with
lasers and liquid nitrogen, etc

~~~
eternalny1
> If you had the chip in a lab you could do sidechannel physical attacks with
> lasers and liquid nitrogen

Wow, what do you do for a living if I might ask?

------
punnerud
- _If you are doing tracking in real time, you can see what 's happening. If you want to, say, explore what happens when your phone goes to a website, you can't do that if you don't have a jailbreak because Apple doesn't give you the specific permissions that you need to see things happening at such a low level on your phone._

How is this different than MITMproxy, Burp Suite, Charles combined with
setting iPhone to proxy the traffic through your machine?

~~~
eat
Well, to accomplish that with HTTPS traffic, you'd have to tell your device to
accept (for example) Burp's CA certificate. Many applications (especially
sensitive applications such as banking) nowadays use certificate pinning to
verify the expected certificate and prevent this kind of MITM from happening.
So you'd still need to do some sort of lower-level manipulation, such as
manually hooking the certificate validation functions, to even be able to get
this proxying to work.

It's becoming increasingly difficult to really see what's going on without a
jailbroken iPhone, or rooted Android device.

------
arminiusreturns
The right to repair must include the right to root.

~~~
dev_dull
No way. The vast majority of us want phones that are totally impregnable. I
want a phone that not even Apple can access, let alone Steve down at the
repair shop.

I’m normally all about right-to-repair, but with my phone I want privacy and
security.

~~~
saurik
Since you also want protection from Apple, you actually don't disagree: right
now, Apple can put your phone in DFU mode and "upgrade" its software to a new
build which gives them not just root access (which isn't terribly useful these
days) but complete control over the kernel. (They still can't steal your data
unless you help, due to disk encryption, but that's an unrelated topic.) I
want a phone where Apple can't do that; but I mean, someone has to be able to
do that, as otherwise the software on the phone can't be upgraded. So I want
the person in control of that to be me, the owner. If I so choose, I can trust
Apple's software. Or I can choose to not trust Apple's software and trust
software from you. This concept of software trust eventually comes down to a
root certificate (just as it already does), which should be controlled by the
same secure enclave as the disk encryption (so the software itself can't alter
my trust roots in case of an exploit). There: not only easy to be equivalent
to what you have, not only able to give people like me actual control, but
_more_ secure than the status quo (as Apple can be locked out), not less.

------
MuffinFlavored
> The exploit allows only tethered jailbreaks, meaning it lacks persistence.
> The exploit must be run each time an iDevice boots.

Could it be made to persist?

> Checkm8 doesn't bypass the protections offered by the Secure Enclave and
> Touch ID.

Could it be made to bypass the Secure Enclave?

~~~
phs318u
The lack of persistence could be worked around by a small enough device
disguised as a phone charger. A sufficiently motivated actor could use a human
asset to plant/replace such chargers at a target’s home/work.

~~~
matwood
You have to put the phone into DFU mode. Yes, this is a serious flaw, but in
the last 24h the overreactions have already become the stuff of legends.

------
factorized
So it is necessary to know a device's PIN to apply this jailbreak?

The article refers to Secure Enclave and how its protection cannot be
bypassed, but it's unclear whether the PIN itself (and entering the DFU mode)
is protected by the Secure Enclave.

~~~
morpheuskafka
The PIN is not stored anywhere on the device. It is validated by the Secure
Enclave but cannot be recalled. So this attack vector would need to involve
flashing a malicious iOS clone that would boot normally and ask the user to
enter their PIN/TouchID normally before activating malicious functions.

------
sargun
If apple knew about this exploit (given the patched the boot ROM on the newer
phones), will iPhones that ship after a certain date have this fixed?

------
clamprecht
Potential business opportunity - iPhone "virus scanner" device or service?

~~~
duiker101
Can't wait for the bloatware iOS antiviruses!

------
pearjuice
This is probably the same exploit used by three letter agencies to get into
locked iDevices. It was known long before checkm8 became public.

~~~
Xylakant
Afaics it doesn’t get you on locked devices. You can install custom firmware,
but you’d still need the passcode or face/finger to unlock the actual content.

~~~
vageli
> Afaics it doesn’t get you on locked devices. You can install custom
> firmware, but you’d still need the passcode or face/finger to unlock the
> actual content.

It opens the door for an evil maid attack though. Replace firmware of target
and once unlocked exfil the data. Since most people don't regularly turn off
their phones in my experience, this attack would probably be successful
against most users.

~~~
matwood
Let's play out this scenario. Someone has to take your phone without you
knowing and load some exfil software. This requires focused targeting of
people who are not most users. Heads of state, journalists, etc... would just
reboot the phone anytime it leaves their possession. Additionally, those users
are who are likely targets would just get a newer phone.

The reality is that right now, Checkm8 is great for jailbreakers of older
phones and not much else.

~~~
vageli
Good points. As a complete aside, your comment brought to mind one more group
that might benefit: those in a relationship with someone whom they suspect is
cheating on them.

