Compare to the "firewall" approach which is crunchy on the outside but nice and soft on the inside. Snowden showed the NSA intercepting unencrypted internal comms between google's and yahoo's respective datacenters. And our IoT devices are often exploited vectors.
Interesting the Apple wouldn't even consider their own device boundary adequate. Compare to others who (used to? Still do?) keep, say, fingerprint data in the filesystem. Some people say code structure reflects organizational structure; I wonder if apple's own corporate structure (with internal inter-project secrecy, which I consider insane) lead in part to this approach: "I can't trust those other organizations writing system code to use the security features I put in so I'll consider them a kind of adversary too"
(This is known as Conway's law.)
Apple doesn't have divisions; it would be unremarkable that GE's jet engine business didn't know what GE's medical MRI division was up too. But Apple has a small number of products that essentially share a backbone. Yet features are poorly integrated; Mac photos is ahead if iOS's in some ways and behind in others suggesting less shared code than would be more efficient, less buggy, and less confusing the users. The Mac has a whole en ("ink") infrastructure which is more powerful than what's on the iPod despite the iPod having much more common pen support. And let's not get to security architecture...
At the other extreme Google has (mostly) a monorepo. They have their own problems but act to improve connection between the company. Cisco used to and probably still does have a number of common architectural structures across its product line. Etc.
One shouldn't conflate the VCS with org structure and/or code sharing.
The Google monorepo is perforce-based, which has per-branch, per-directory (even per-file) access control. One project's dependency on another can just as easily use the build artifacts from that other project as it can a source tree. And the way Google has built it, is looks far far closer to git than what you might think of with p4 (or svn or vss or name-your-monorepo).
Lastly, AIUI, from day one there were very restricted parts of the "monorepo" that only a very few devs had access to.
The Google monorepo is very different than a single git repo.
It is just a warped perception ?
In reality they don't actually have a single, company-wide repo, and they also have some groups that have isolation almost as extreme as Apple's.
Any large company will have these communication problems I cited; the part I find weird is that Apple not only takes no steps to address them but takes steps that as side effects exacerbate the issue. Clearly it doesn't bother them and they do ship good products so...
Holy molly. We're spouting insane conspiracy theories on this site, now?
It is why post-911 there is a DNI.
However, when you have a chaos president, who distrusts the intelligence agencies, because he doesn't want to hear about Russian interference in his election, it is just as bad.
That's a wordy way of saying it's not always the most efficient use of resources.
Hence my question: why make it public? What’s the backstory?
From the person/hacker/security researcher (@axi0mX) who discovered it:
During iOS 12 betas in summer 2018, Apple patched a critical use-after-free vulnerability in iBoot USB code. This vulnerability can only be triggered over USB and requires physical access. It cannot be exploited remotely. I am sure many researchers have seen that patch. That's how I discovered it. It is likely at least a couple other researchers were able to exploit this vulnerability after discovering the patch. The patch is easy to find, but the vulnerability is not trivial to exploit on most devices.
> why make it public?
A bootrom exploit for older devices makes iOS better for everyone. Jailbreakers and tweak developers will be able to jailbreak their phones on latest version, and they will not need to stay on older iOS versions waiting for a jailbreak. They will be safer. It will also be better for security researchers interested in Apple's Bug Bounty. They will not need to keep vulnerabilities on hand so that they have access they need for their research. More vulnerabilities might get reported to Apple right away.
I wonder if this is this vulnerability that a private company was exploiting for tools they provided to various law enforcement agencies?
I don't see how that would help good guys reveal bugs.
For those it allows complete data extraction except the Secure Enclave, correct? I suspect this would have been valuable.
It may have already been sold a few times. And if so, perhaps the author was turned down by the usual suspects.
As someone who used to jailbreak back in the day, this news was really exciting. However looking at it in a mature way than I did back then, it’s also slightly worrying that a whole class of iOS devices have a severe and unpatchable security flaw.
"Severe" is a bit over-dramatic. To be accurate, from the article:
Checkm8 requires physical access to the phone. It can't be remotely executed, even if combined with other exploits
The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.
Checkm8 doesn't bypass the protections offered by the Secure Enclave and Touch ID.
Agreed. The hyperbole yesterday was millions of iPhones now have no security which does not seem to be the case. For the average user nothing has changed. For the paranoid, reboot the phone if it ever leaves your sight.
If you suspect your device has been tampered with and need a guaranteed reboot, just let the battery run down and don't use it until it has.
Just a (overly paranoid) thought: a sophisticated attacker could simulate a drained battery and subsequent reboot, no?
Not going to lie: I do place a significant level of trust in Apple's statements regarding their security architecture / model.
Having a completely 100% untouchable ROM is very valuable. Yes, this kind of exploit being permanent is the downside, but then they don't have to worry about the modification fuses being misused in any way ever.
You don't 'flash' a fake ios; you can use the bootrom exploit to put your modified version of ios into memory, and once you reboot you would get back straight stock ios. They could even make it reboot as soon as the password was harvested, leaving behind no trace. This is scary stuff. You can keep yourself safe by rebooting as soon as you get your phone back from border patrol, but many people would not know to do that.
Ownership is the state of exclusive rights and control over property, which I don't have when I buy an Apple device. Either they shouldn't say they're selling it (they can say they're leasing it to me) or they should give me all rights.
I like to think of “owning” in the developed world simply as a right to collect rent from someone else.
Are any of these restrictions there so a private third party can decide what you do with your property?
At least, that’s true in at least one state in the USA.
Also the developers and architectural controls can make decisions affecting what you build (down to the color you paint outside), before they turn things over to the city.
All subject to local laws of course, so may vary city to city.
I don't know what people aren't getting about this. You bought a computer that can only run code that Apple has explicitly approved. How is this ownership?
However, most people reboot their phone very rarely: the occasional software update a couple times a year; if the battery runs out (which people usually go to pains to avoid); or for some people, to try to fix a misbehaving phone.
The exploit does require physical access to the phone for a few minutes. But in situations where that can happen, and the owner doesn't have the suspicion or knowledge to reboot, I think an exploit could easily run for one or several months.
Paired with enough clever software modifications made possible by the jailbreak (like a lock screen that collects passcode input), a malicious instance of this could do plenty of damage.
At which time you simply need to reboot the device yourself to clear anything made possible by this particular boot ROM bug.
There was some discussion about this on r/jailbreak, and it comes down to whether the community is willing to reverse-engineer and write drivers for the various hardware:
I had three Nexus Android phones go sideways on me in their first year, over a span of 4 years.
I have had two iPhones since 2014, and only because I dropped the first one.
If I have to spend $300-$400 on replacements every couple years, I’ll go with $800 every 4-5
What did you do with those phones that they 'went sideways'? I have a number of Motorola Defy phones which are between 8 and 9 years old, they still work fine. My daughter left one of those Defy's in her pocket when she put her jeans in the washing machine, it went through a full washing cycle and still worked except for the ear piece which I replaced at a total cost of $0.50 in parts (I bought 10 for $5 including shipping, anyone need a Defy earpiece?). I only ended up buying a newer device (Xiaomi Redmi Note 5 with many of the mentioned advantages) because the Swedish electronic ID supplier stopped supporting Android 4.4. I also have an Ainol Novo Advanced 8 Android tablet from 2010, still works fine albeit with a somewhat limited battery time.
Apple makes slick devices but the slickness comes with a downside: they are among the most vulnerable devices out there, usually ending up in the bottom legion when it comes to ability to survive rough treatment . Repairs end up being extremely expensive due to the enforced single supplier rule - only Apple is 'allowed' to repair the device, iOS contains checks for 'unauthorised' repairs. For the price of a single screen repair on an iPhone X ($279) I can buy a new phone for myself and for my daughter (who has a Xiaomi Redmi 4X), 'other' repairs cost $549 which is enough for new devices for the whole family. In short, Apple is the more expensive choice. If you think they're worth their price you should buy them but that does not negate the fact that you're paying more for a more fragile device with limited repair options.
This is a largely useless comparison without qualification.
With Android you have a choice of the specs - bigger battery, better camera, tough build, fast charging. With the iPhone you get an average meh for not so average price.
I still have my working iPod touch from like 2011.
This is not like Desktop PCs where a game might run at less than 60fps at a certain monitor resolution, iPhone software is more like the console market, so it's like saying you have a new PS4 model with 2x the speed of last years model. You're not likely going to notice the difference except at the edges, like launching apps are slightly faster.
Apple's fan base, prior to the A6, used to be 'specs don't mstter', but once Apple got the lead in CPU speed, now specs matter. I think for most people the former is probably true.
A faster phone doesn't make your Facebook, Snapchat, iMessage, Instagram, etc experience much better and lets be honest, people are spending the majority of time in those apps.
I believe an old iPhone could potentially make for a great DIY drone mainboard/controller.
Which packages would I want but could not compile for iOS?
I really don’t expect a thriving marketplace to spring up again like we had in the old days.
I do think it will be very useful for people doing security research, as it will allow them to access the full running images of supported devices.
EDIT: Since people seem to be wildly missing my point, I clearly need to spell it out: The community and the ecosystem is what made jailbreaking great, and while this very cool work done, this isn't going to usher in a new golden age of jailbreaking because the community and ecosystem isn't there.
So, stated otherwise: this carries the same weight as saying about 90% (anecdotal estimate) of iPhones in circulation are jailbreakable
The X is already 2 years old. It doesn’t matter that it’s still a capable phone (using one to write this now). The heyday of jailbreaking was when Apple would release a new phone, and then the tech press watched with baited breath to see how quickly it would be hacked. It only took weeks or months, not years, and it was a collective, community effort. It made news and it stirred up a large interest in jailbreaking and the ecosystem around it.
You clearly have not looked at the state of the jailbreak community as it stands today. It’s essentially gone. Repos are filled with old junk that couldn’t run on modern OSes even if you wanted to, and the main developers have just left. And there’s no reason for them to come back. The App Store and the current iOS features cover almost everything that people need, and the effort to get the other little things is just too high.
As I said, this is interesting and possibly useful academically, but it’s not going to magically reinvigorate the jailbreak community.
Also, iOS is genuinely uninteresting for many people because of its locked down nature. There are whole categories of applications that won't ever pass through App Store gates. Heck, we're talking about a platform where you can't even have a different browser than what Apple provides - you can just switch browser shells. Jailbreaking definitely can bring a huge value to at least some people.
Still though I think this will help the JB scene. It’s unlikely it won’t spur at least some new interest and momentum in the scene though.
I mostly jailbreak for shell access and ability to see what the network stack is doing (related to my work,) but a few tweaks like SwipeSelection are great additions too.
If anything, this will help to keep them from becoming e-waste for longer.
I'll give the bad news to my mate who just bought one.
"Old" is not the same thing as "irrelevant", especially since the obvious point of my comment is the jailbreak ecosystem, not the devices. That it applies to older devices is important because that doesn't create the same kind of excitement and interest as if the iPhone 11 was hacked.
I think it's fair to say you called it irrelevant.
For example, everyone's iPhone X and before being vulnerable to airport security scans. If they can root your device, they can install anything without your consent.
Not to mention that allowing one to install anything on your device opens up the gates for a myriad of potential security exploits.
If you had the chip in a lab you could do sidechannel physical attacks with lasers and liquid nitrogen, etc
Wow, what do you do for a living if I might ask?
You cannot install a modified OS and brute force the PIN or access the encrypted user data though. You have to get the user to type it in.
So you need access to the device and the user. It’s always been possible to do this with torture.
How is this different than MITMproxy, Burp Suite, Charles combined with setting iPhone to proxy the traffic through your machine?
It's becoming increasingly difficult to really see what's going on without a jailbroken iPhone, or rooted Android device.
I’m normally all about right-to-repair, but with my phone I want privacy and security.
Could it be made to persist?
> Checkm8 doesn't bypass the protections offered by the Secure Enclave and Touch ID.
Could it be made to bypass the Secure Enclave?
Unlikely and that'd be something Apple can patch at their leisure.
> Could it be made to bypass the Secure Enclave?
That's not how this works. The Secure Enclave generates and stores asymmetric encryption keys and exposes an interface to perform various operations with these keys. Retrieving the keys is not possible. You'd need a separate vulnerability in Secure Enclave. Once you found a Secure Enclave exploit you need to run it, yes and iOS does not want you to run it yes, but let's face it: anyone having the mastery to break the Secure Enclave is more than likely to have an entire stash of iOS zerodays...
I don't think persistence is necessary. How often do people actually power off their smartphone? What most people think of as the "power button" only locks the screen (and puts the CPU into a "suspend" state to save power). Most people would have an "uptime" of months on their smartphone.
If you have iOS with auto-updates on, then it can reboot several times a year when Apple releases point updates. Or at least once a year when the new big version of iOS comes out.
(Unless I'm mistaken and iPhones no longer reboot on point updates anymore, but I'm pretty sure they still do.)
- Part out of habit (since way before 'Do not disturb' mode), I want no disturbances when I sleep.
- Because it saves battery/energy
- No connected device in the bedroom (OK, I got a Kindle)
- I (honestly) don't see any sense in having my phone run for ~7 hours while I'm asleep
From the article:
You have to have a cable connected to your device and put your device into DFU mode, and that requires you to hold buttons for a couple seconds in a correct way
Well, drilling each individual chip is not economical, but doable. Usually it only meant to get something out, not in.
The article refers to Secure Enclave and how its protection cannot be bypassed, but it's unclear whether the PIN itself (and entering the DFU mode) is protected by the Secure Enclave.
It opens the door for an evil maid attack though. Replace firmware of target and once unlocked exfil the data. Since most people don't regularly turn off their phones in my experience, this attack would probably be successful against most users.
The reality is that right now, Checkm8 is great for jailbreakers of older phones and not much else.
> Before Apple introduced the Secure Enclave and Touch ID in 2013, you didn't have advanced security protections. So, for example, the [San Bernardino gun man's] phone that was famously unlocked [by the FBI]—the iPhone 5c— that didn't have Secure Enclave. So in that case, this vulnerability would allow you to very quickly get the PIN and get access to all the data. But for pretty much all current phones, from iPhone 6 to iPhone 8, there is a Secure Enclave that protects your data if you don't have the PIN.
> * The above also means that Checkm8 is unlikely to make it easier for people who find, steal or confiscate a vulnerable iPhone, but don't have the unlock PIN, to access the data stored on it.
Apparently, this is not the same exploit.