Hacker News new | past | comments | ask | show | jobs | submit login
Developer of Checkm8 explains why iDevice jailbreak exploit is a game changer (arstechnica.com)
411 points by headalgorithm 24 days ago | hide | past | web | favorite | 196 comments

The list of limitations of the jailbreak is itself interesting as it shows the benefits of defense at depth: even if you have this exploit you need physical access, Secure Enclave is still inaccessible etc.

Compare to the "firewall" approach which is crunchy on the outside but nice and soft on the inside. Snowden showed the NSA intercepting unencrypted internal comms between google's and yahoo's respective datacenters. And our IoT devices are often exploited vectors.

Interesting the Apple wouldn't even consider their own device boundary adequate. Compare to others who (used to? Still do?) keep, say, fingerprint data in the filesystem. Some people say code structure reflects organizational structure; I wonder if apple's own corporate structure (with internal inter-project secrecy, which I consider insane) lead in part to this approach: "I can't trust those other organizations writing system code to use the security features I put in so I'll consider them a kind of adversary too"

One thing I love about HN is super thoughtful comments under names like gumby

My brain hurts!

> code structure reflects organizational structure

(This is known as Conway's law.)

Just curious, why do you think that inter-project secrecy within a company is a bad idea?

TO be clear I consider Apples level of inter-group secrecy insane. When Apple switched from PPC to Intel I had friends who worked on apple's dev tools (like gdb) who learned about the switch the same day I did. That's over the top.

Apple doesn't have divisions; it would be unremarkable that GE's jet engine business didn't know what GE's medical MRI division was up too. But Apple has a small number of products that essentially share a backbone. Yet features are poorly integrated; Mac photos is ahead if iOS's in some ways and behind in others suggesting less shared code than would be more efficient, less buggy, and less confusing the users. The Mac has a whole en ("ink") infrastructure which is more powerful than what's on the iPod despite the iPod having much more common pen support. And let's not get to security architecture...

At the other extreme Google has (mostly) a monorepo. They have their own problems but act to improve connection between the company. Cisco used to and probably still does have a number of common architectural structures across its product line. Etc.

> At the other extreme Google has (mostly) a monorepo.

One shouldn't conflate the VCS with org structure and/or code sharing.

The Google monorepo is perforce-based, which has per-branch, per-directory (even per-file) access control. One project's dependency on another can just as easily use the build artifacts from that other project as it can a source tree. And the way Google has built it, is looks far far closer to git than what you might think of with p4 (or svn or vss or name-your-monorepo).

Lastly, AIUI, from day one there were very restricted parts of the "monorepo" that only a very few devs had access to.

The Google monorepo is very different than a single git repo.

It feels weird having Google on the “improve connection between the company” side when they are the poster child of parallel implementations and internal competing products and standards (at least as seen from the outside).

It is just a warped perception ?

I don't think so. I just cited their monorepo as an approach close to opposite polar extreme.

In reality they don't actually have a single, company-wide repo, and they also have some groups that have isolation almost as extreme as Apple's.

Any large company will have these communication problems I cited; the part I find weird is that Apple not only takes no steps to address them but takes steps that as side effects exacerbate the issue. Clearly it doesn't bother them and they do ship good products so...

For the same reason that inter-agency secrecy contributed to the success (for the terrorists) of the 9/11 attacks.


>>You mean the departments of government that planned and staged 9/11

Holy molly. We're spouting insane conspiracy theories on this site, now?

No, it is simpler. US intelligence agencies pre-911 did not share intelligence or pass along warnings across agency boundaries. That meant events such as the terrorists that went to flight school in Florida, did not get passed along to other agencies.

It is why post-911 there is a DNI.

However, when you have a chaos president, who distrusts the intelligence agencies, because he doesn't want to hear about Russian interference in his election, it is just as bad.

Not OP, but because it often slows down development since different teams keep re-implementing similar ideas or have strong requirements to allow using their infrastructure. There are always trade-offs to consider, silo-ing projects can be critical to some core infrastructure projects and security libraries, can be very useful for other control plane projects, but can also actively hinder innovation in other cases.

That's a wordy way of saying it's not always the most efficient use of resources.

I’m wondering about the economics of this release. I don’t know if Apple has any bug bounty program and whether it would apply here, but I’m pretty sure someone would have paid a lot of money for this.

Hence my question: why make it public? What’s the backstory?

> What’s the backstory?

From the person/hacker/security researcher (@axi0mX) who discovered it:

During iOS 12 betas in summer 2018, Apple patched a critical use-after-free vulnerability in iBoot USB code. This vulnerability can only be triggered over USB and requires physical access. It cannot be exploited remotely. I am sure many researchers have seen that patch. That's how I discovered it. It is likely at least a couple other researchers were able to exploit this vulnerability after discovering the patch. The patch is easy to find, but the vulnerability is not trivial to exploit on most devices.

> why make it public?

A bootrom exploit for older devices makes iOS better for everyone. Jailbreakers and tweak developers will be able to jailbreak their phones on latest version, and they will not need to stay on older iOS versions waiting for a jailbreak. They will be safer. It will also be better for security researchers interested in Apple's Bug Bounty. They will not need to keep vulnerabilities on hand so that they have access they need for their research. More vulnerabilities might get reported to Apple right away.

Source: https://mobile.twitter.com/axi0mX/status/1177542201670168576...

I wonder if this is this vulnerability that a private company was exploiting for tools they provided to various law enforcement agencies?

Wait, why does this make iOS better? This breaks the security guarantees I expected from the phone.

iOS is such a walled garden that security researchers have a very difficult time gaining low level access on the phone. This has incentivized researchers to keep vulnerabilities they find for themselves rather than disclose them to Apple, so that they can use the vulnerabilities to gain the low level access needed for additional exploration. The Checkm8 author posits that by providing people this access via his exploit, researchers will submit their known vulnerabilities to Apple and make iOS safer.

Coming next year: pre-rooted devices specifically for security research, though likely with well established groups. https://thenextweb.com/apple/2019/08/08/apple-announces-deve...

Surely you mean nation state actors.

Why do you believe that? Apple made quite a lot of news by refusing to unlock the iPhone 5C from the San Bernardino shooting. Helping nation state actors find vulnerabilities would be contrary to their previous actions.

Not really. Helping nation state (any) actors gain access to user data would be contrary to their previous actions. Helping experts research vulnerabilities is a calculated risk that the good guys will reveal bugs at a similar rate or faster than the bad guys, whilst also disincentivising the hoarding.

I don't understand. vuln seemed to be suggesting Apple would give pre-jailbroken devices to governments to find vulnerabilities with instead of giving them to established white hat researchers.

I don't see how that would help good guys reveal bugs.

I believe he meant in the future versions of iOS. Once this is public Apple can take the necessary steps to patch this on future products. If it wasn't published, then Apple would, guessing here, leave it as is for future products. My 2 cents.

Nintendo Switch suffered from a similar problem (usb bootrom exploit https://github.com/Qyriad/fusee-launcher/blob/master/report/...) and the company has been watching the homebrew and other communities closely to patch the entire exploit chain as people discover exploits. No doubt the OS and platform is a lot more secure thanks to the community

It means bug bounty hunters can jailbreak any version of their phone to turn it into a listening honeypot. Then they can take it to China, let the PRC re-exploit it, record the new exploit, then sell the exploit to Apple for $1 Million Dollars and retire in the Bahamas. You wouldn’t be able to turn your iPhone into a honeypot without this otherwise.

Since it’s already fixed in the Xs and newer iPhones, I’m not sure Apple would have considered it a new exploit worthy of a payout.

Cellebrite might pay for it. Unless they already knew about it.

It doesn’t really provide anything useful for Cellebrite and it only works on older devices.

iPhone X is barely 2 years old. It works on the vast majority of iPhones in use today.

For those it allows complete data extraction except the Secure Enclave, correct? I suspect this would have been valuable.

If you have a passcode, all of your data is encrypted with keys stored in the Secure Enclave. So this alone won't let you dump the contents of a phone. (But it's a useful 1st step vulnerability to others)

Every iPhone since the 5S has had a SEP, meaning, as this researcher points out, that checkm8 doesn't do much for Cellebrite for those phones.

It doesn't seem to provide much value to bad actors, since you can't trigger this exploit without physical access and a reboot, can't get any device data without the passcode even if you've done that, and can't persist anything that requires privileged access even with the exploit and the passcode. That makes it moderately useful for hackers and security researchers trying to experiment with devices they own, and most likely of little to no use for any hostile agents, with or without physical device access.

I would guess this was already known to some intelligence communities. However, as an unknown zero day this would probably have been worth a great deal on the open market.

It may have already been sold a few times. And if so, perhaps the author was turned down by the usual suspects.

Apple has a bug bounty program, though some moves that Apple has made towards the broader security community has some questioning Apple's actual commitment to security, vs just being a clever marketing ploy.

I’ve heard some people taking about using a raspberry pi zero or some other microcomputer to apply the exploit on boot, which sounds quite interesting.

As someone who used to jailbreak back in the day, this news was really exciting. However looking at it in a mature way than I did back then, it’s also slightly worrying that a whole class of iOS devices have a severe and unpatchable security flaw.

> it’s also slightly worrying that a whole class of iOS devices have a severe and unpatchable security flaw.

"Severe" is a bit over-dramatic. To be accurate, from the article:

Checkm8 requires physical access to the phone. It can't be remotely executed, even if combined with other exploits

The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.

Checkm8 doesn't bypass the protections offered by the Secure Enclave and Touch ID.

> "Severe" is a bit over-dramatic. To be accurate, from the article:

Agreed. The hyperbole yesterday was millions of iPhones now have no security which does not seem to be the case. For the average user nothing has changed. For the paranoid, reboot the phone if it ever leaves your sight.

It's not easy to pull battery out, so we are left with a force-reboot button chord. That feature is probably meant to protect from normal, non-malicious bugs. How sure can the hypothetical paranoid be that the phone has indeed rebooted and not faked it?

The hypothetical user can be certain if they simply do a force reboot by holding power and volume, instead of shutting down using the power button long press and touch screen swipe.

Why? Is there any way to be certain these are done in hardware and can’t be caught in a low level system once the device is rooted? It’s a black box, so no way to know until somebody manages to pull it off.

I can implant a tiny microchip into your phone that will intercept every disc read/write and transmit it. Is that something it makes sense to check for, though?

These days, it's easier to thwart the Evil Maid attack, as it's known, by replacing the device, and some recommend doing that when entering/exiting China, attending DefCon, and a few other scenarios where it's credible under a given threat model. Most of us aren't Edward Snowden, but are still cases where thats not so ludicrous. The FBI has installed keyloggers into laptops supposedly fresh from the factory that have been discovered before. It's not just specific person devices, either. Aspersions were cast on Supermicro motherboards installed into Cloud provider data centers, even if nothing was ever found/proven.

> Is there any way to be certain these are done in hardware and can’t be caught in a low level system once the device is rooted?

If you suspect your device has been tampered with and need a guaranteed reboot, just let the battery run down and don't use it until it has.

> If you suspect your device has been tampered with and need a guaranteed reboot, just let the battery run down and don't use it until it has.

Just a (overly paranoid) thought: a sophisticated attacker could simulate a drained battery and subsequent reboot, no?

No sophisticated attacker can make a phone run for five days without recharging. Just leave it on for five days and you should be fine.


Yup - this combination works even if the device is hung.

I believe the force-reset button combination is a firmware (read-only) routine for that reason.

See: https://support.apple.com/guide/iphone/force-restart-iphone-...

Firmware updates are a thing for other devices. Sure, the force-restart logic should be stored on some separate device that isn't touched by any part of OS other than the firmware updater — but are you sure if it really is or should be read-only?

Nope I am not sure.

Not going to lie: I do place a significant level of trust in Apple's statements regarding their security architecture / model.

I'm inclined to place some trust in Apple too. Is there any statement that force-reboot is a security feature?

It might be patchable, even though it's in ROM. The ARM chip I've been working on has a mechanism to change a few words in ROM by blowing fuses... basically, between the ROM and the CPU sits a device that compares addresses and if matches what's found in the fuses, will replace the data being read. Since it doesn't have to be fast (since ROM code is only used at boot and there isn't a lot of it), they can slow down memory access to get more security.

Apple would've very likely patched it a long time ago if it was patchable, since the newest devices' ROMs don't have the bugs anymore.

Having a completely 100% untouchable ROM is very valuable. Yes, this kind of exploit being permanent is the downside, but then they don't have to worry about the modification fuses being misused in any way ever.

Why is that? I've long been against Apple's stance of not allowing me access to the hardware I own, and this exploit seems the best of both worlds: If you want to make sure you're secure, just reboot the phone.

If you can access using this so can others when you cross borders, are stopped by police, have spying spouse, etc. Those are real and sometimes fatal threat models.

If law enforcement did take your device, it would be useless if you have a passcode. Your data will still be encrypted.

depends on whether exploiting the bootrom allows you bypass the anti-hammering mechanism, or the "wipe data after 10 failed attempts" mechanism. A 6 digit passcode by itself is very easy to crack.

IIRC from the San Bernardino case, that was the case on the shooter's phone (a 5S I think), but since then it has been built in to the "Secure Enclave" chip which is not affected by the vulnerability. But you could flash a fake iOS that logged the user's code and/or directly exfiltrated the data--the user would have no idea that it was not the stock iOS they were giving their code to. It would leave them which a bricked device the next time they rebooted, which could raise suspicions.

It was a 5c; 5s and later had the SEP.

You don't 'flash' a fake ios; you can use the bootrom exploit to put your modified version of ios into memory, and once you reboot you would get back straight stock ios. They could even make it reboot as soon as the password was harvested, leaving behind no trace. This is scary stuff. You can keep yourself safe by rebooting as soon as you get your phone back from border patrol, but many people would not know to do that.

It doesn't. Just reboot the phone and it's secure.

I think you misunderstood the threat model. The concern is that they seized your phone, used the exploit to bypass the "normal" passcode protections, allowing them to bruteforce your 6 digit passcode in hours/days rather than years/decades/never (if you had the wipe after 10 failed attempts enabled).

That is not possible, the key is inside a hardware chip which enforces the number of tries for the PIN.

Now they do. That wasn't always the case though, for those on older devices (Anything older than the 5s, I believe), or older iOS versions.

You can use a numeric sequence passphrase as your passcode; there is no 6 digit limitation; I have a > 6 numeric passcode/passphrase.

You can also use an alphanumeric sequence.

Don't use a 6-digit passcode.

If you lost your iPhone or it was stolen it was just a worthless brick for the finder/thief. Think about what a big peace of mind that is! This changed now for older hardware.

It didn't, because the encryption keys are in the secure coprocessor.

Your data is protected, but the iCloud activation lock can be bypassed. Hence it no longer being a brick.

What's the market value of a phone that has to be put into firmware upgrade mode every time it restarts?

TBD. Check out eBay in the coming months, I’m sure a value will be determined soon. It’s definitely higher than what it is now (sold as scrap for parts)

My take is that you’re misinterpreting what you (theoretically) have purchased. You bought an iPhone, not a pile of hardware. Nowhere in the transaction did Apple misrepresent what they offered. Your wish for iPhone shaped hardware that is yours to do whatever you want with doesn’t change the fact that this isn’t what’s for sale.

How do you reconcile the fact that I've bought it with the fact that it's not "mine to do whatever I want with"?

Ownership is the state of exclusive rights and control over property, which I don't have when I buy an Apple device. Either they shouldn't say they're selling it (they can say they're leasing it to me) or they should give me all rights.

World isn’t so black and white. There are restrictions on many things you “own”. Land, certain chemicals, technologies, etc.

I like to think of “owning” in the developed world simply as a right to collect rent from someone else.

> There are restrictions on many things you “own”.

Are any of these restrictions there so a private third party can decide what you do with your property?

Another example is the Visual Artists Rights Act. You may own the painting, sculpture, etc., but you are not allowed to modify or destroy it.

Yes, land rights for example. Someone else decides what you're allowed to build and/or dig.

Which private party decides that?

The municipal council approves all building plans. Just because you own the land doesn’t mean you have the right to build whatever you want on it without approval.

At least, that’s true in at least one state in the USA.

The neighbor or utility providers have a say if there's an easement, e.g. you can't build as to block their right-of-way access for maintenance purposes, despite your ownership over the land.

Also the developers and architectural controls can make decisions affecting what you build (down to the color you paint outside), before they turn things over to the city.

All subject to local laws of course, so may vary city to city.

Home Owners Association, Neighborhood Association, Historical Society, etc

When you buy a car, you don’t get an airplane. Maybe you can figure out how to make it one but don’t cry when you can’t.

This analogy is apt, because I was clearly complaining that my phone wasn't a spaceship.

You knowingly bought one thing while wishing it was something else. Blame the company for that if you want but they didn’t have a gun to your head.

I'm not saying they misrepresented the transaction that occurred. I'm saying I don't own the phone I bought, Apple does. I'm just leasing it from them.

I guess I just don’t understand your definition of ownership or leasing. This just sounds to me like you’re complaining that you’re only leasing your fork because you bought a spoon.

I bought a computer that can't run whatever code I want. That's not ownership. That's buying a fork that hangs on a chain in the manufacturer's house. Yes, I "own" it, yes it's better than no fork, but if I can't eat whatever I want with it, it's not really mine.

I don't know what people aren't getting about this. You bought a computer that can only run code that Apple has explicitly approved. How is this ownership?

this is like saying you don't own a lock because it won't open if you've lost the key

No, it's like saying I don't own a lock because Apple keeps the key and I have to call them and ask them to unlock it for me every time.

My suggestion is to build it into a battery case. Then you always have the device with you and it's always charged if your phone is, preventing catastrophic dead phone in the desert scenarios.

The article makes repeated mentions of the lack of persistence (rebooting the phone removes the exploit), suggesting this makes it very little of a security threat.

However, most people reboot their phone very rarely: the occasional software update a couple times a year; if the battery runs out (which people usually go to pains to avoid); or for some people, to try to fix a misbehaving phone.

The exploit does require physical access to the phone for a few minutes. But in situations where that can happen, and the owner doesn't have the suspicion or knowledge to reboot, I think an exploit could easily run for one or several months.

Paired with enough clever software modifications made possible by the jailbreak (like a lock screen that collects passcode input), a malicious instance of this could do plenty of damage.

I think more practical concerns are cases of forced seizure by the government. The easier it is to access private data against someone’s will, the more often it will happen.

If your device tells you that you are required to enter your passcode (instead of having biometric authentication available) at a time when you have not just rebooted the device yourself, that would be your clue that something unusual is going on.

At which time you simply need to reboot the device yourself to clear anything made possible by this particular boot ROM bug.

iOS requires users to enter their passcode every week so they don't forget it.

This is great news. After a decade of stagnation [1], an exploit that in theory allows Linux (and Android) to be ported to iPhone, iPads, Apple Watches, and I believe, Apple TV.

[1] https://en.wikipedia.org/wiki/OpeniBoot

> After a decade of stagnation, an exploit that in theory allows Linux (and Android) to be ported to iPhone, iPads, Apple Watches, and I believe, Apple TV.

There was some discussion about this on r/jailbreak, and it comes down to whether the community is willing to reverse-engineer and write drivers for the various hardware:


Why wouldn't you just buy a rootable Android device in the first place? Cheaper, better phones and far less hassle to install your own OS on.

How are you qualifying better?

I had three Nexus Android phones go sideways on me in their first year, over a span of 4 years.

I have had two iPhones since 2014, and only because I dropped the first one.

If I have to spend $300-$400 on replacements every couple years, I’ll go with $800 every 4-5

Better value for money, bigger battery, better screen (Samsung), more memory (most devices), more storage, expandable storage, standard interface (all devices), no legal liabilities related to 'hacking' the device, better camera (Samsung, Pixel), more choice in form factor, need I go on?

What did you do with those phones that they 'went sideways'? I have a number of Motorola Defy phones which are between 8 and 9 years old, they still work fine. My daughter left one of those Defy's in her pocket when she put her jeans in the washing machine, it went through a full washing cycle and still worked except for the ear piece which I replaced at a total cost of $0.50 in parts (I bought 10 for $5 including shipping, anyone need a Defy earpiece?). I only ended up buying a newer device (Xiaomi Redmi Note 5 with many of the mentioned advantages) because the Swedish electronic ID supplier stopped supporting Android 4.4. I also have an Ainol Novo Advanced 8 Android tablet from 2010, still works fine albeit with a somewhat limited battery time.

Apple makes slick devices but the slickness comes with a downside: they are among the most vulnerable devices out there, usually ending up in the bottom legion when it comes to ability to survive rough treatment [1]. Repairs end up being extremely expensive due to the enforced single supplier rule - only Apple is 'allowed' to repair the device, iOS contains checks for 'unauthorised' repairs. For the price of a single screen repair on an iPhone X ($279) I can buy a new phone for myself and for my daughter (who has a Xiaomi Redmi 4X), 'other' repairs cost $549 which is enough for new devices for the whole family. In short, Apple is the more expensive choice. If you think they're worth their price you should buy them but that does not negate the fact that you're paying more for a more fragile device with limited repair options.

[1] https://macworld.idg.se/2.1038/1.692054/iphone-x-en-tickande...

> more memory

This is a largely useless comparison without qualification.

You're forgetting the context, being the selection of a device to run Linux (or anything else) on. Also, more memory is more memory, no qualification needed. It doesn't matter why the device has more memory, just as long as it does.

Yeah and it needs "more memory" because it runs Java. Modern iPhones have way more than enough memory to run one app at a time and a few in the background.

Who cares why the device 'needs more memory' (which it doesn't by the way, the excessive amounts of memory in recent Android devices is more of a marketing ploy than a necessity) when the goal is to select a device to run an alternative operating system on? That is, after all, the context of my reply.

But Android is already kinda Linux. You can even get shell and everything.

Is is, just add `termux` and install whatever packages you want. That won't help those who want to install Sailfish or Ubuntu or their very own mobile Linux creation or whatever other option they might contemplate. For those applications it makes sense to get a device which is open to this type of tinkering.

The last Nexus phone was made in 2015, and they were known for being bad (bootloop). There are tons of really solid Android phones that work for years. Even the cheap chinese ones from unknown brands are solid these days. I also replace them only because I broke the screen.

With Android you have a choice of the specs - bigger battery, better camera, tough build, fast charging. With the iPhone you get an average meh for not so average price.

Eh - anecdotal but my pixel just turned off and never turned on again about a year and a half into use (without water damage).

I still have my working iPod touch from like 2011.

Anecdotal but my MyTouch 3G (2009) and LG G2 (2013) still work just fine. Both are rooted with custom ROMs.

More anecdotes, still have my Nexus 4 kicking around. Just switched from my Pixel 1 after about 3 years since I cracked the screen.

Glad you found something that works for you.

To reuse/repurpose old devices you still have laying around. Which is much of the reason for Linux support on most unusual architectures, really.

Perhaps you wouldn't need to buy another separate Android device, since a iPhone dual-booting Android could make it the best supported Android device since the Pixel.

Nothing comes close to apple's ARM CPUs.

Most of the performance of which is irrelevent, because the apps have to run on the lowest common denominator iPhone.

This is not like Desktop PCs where a game might run at less than 60fps at a certain monitor resolution, iPhone software is more like the console market, so it's like saying you have a new PS4 model with 2x the speed of last years model. You're not likely going to notice the difference except at the edges, like launching apps are slightly faster.

Apple's fan base, prior to the A6, used to be 'specs don't mstter', but once Apple got the lead in CPU speed, now specs matter. I think for most people the former is probably true.

A faster phone doesn't make your Facebook, Snapchat, iMessage, Instagram, etc experience much better and lets be honest, people are spending the majority of time in those apps.

Performance isn't the only area where apple chips are superior. Power efficiency is another, and that's a lot more noticeable to your general consumer.

You’ll notice when loading web pages.

Why wouldn't you want to run doom/linux on all the devices?

For fun!

I can't wait to see an iPhone X natively running DOOM.

I'm not really into the jail breaking / free software / right to repair side of this issue. I'm more interested in jailbreaking iOS devices because I believe they are incredible alternative to Raspberry Pi. If you consider how cheaply you can find a used iPhone 4S and what it's capable of, vs. a Raspberry Pi (as much as I love them) the engineering of the iPhone SOC really becomes stark in comparison. I'd rather be writing Swift code and loading it onto an iPhone.

I believe an old iPhone could potentially make for a great DIY drone mainboard/controller.

I'd love to run Linux or NetBSD on the 3rd Gen Apple TV. I don't know if this would allow that. Last time I looked, the consensus was a hard no. There's also going to be tons of AirPort base stations that should be re-purposed, but as far as I know nobody has even bothered to find a jail break for AirPort devices. It would be nice just to be able to SSH into an AP.

This is already possible. SSH can be enabled on the AirPort. Indeed, they run a build of NetBSD 6.0.


Oh nice! I'm surprised I missed this.

Sounds like you want an Android device.

imho, a myriad of ios won't have the same Linux support which rasperry pi's enjoy.

Not sure how that matters? iOS has great SDKs for device access and acceleration. Plenty of Unix software compiles on iOS too.

Which packages would I want but could not compile for iOS?

i think, ios, sdk and tools won't work for iphone 4,5,6 etc - so you won't have developer tool chain support and no way to update them due to non-OSS proprietary base.

So somebody could make a battery case that also jailbreaks your phone (if you trigger DFU mode)?

Yes, I have also seen discussion of dongles being made to jailbreak your iPhone. The Nintendo Switch has a bootrom exploit and a dongle to exploit it is available.

While this is great for the concept of jailbreaking, in practice I think it will be mostly academic. The devices this supports are already old, which doesn’t give much excitement to the process. The ecosystem of libraries, apps, stores, etc. around jailbreaking is in a dismal state, if it really even exists anymore.

I really don’t expect a thriving marketplace to spring up again like we had in the old days.

I do think it will be very useful for people doing security research, as it will allow them to access the full running images of supported devices.

EDIT: Since people seem to be wildly missing my point, I clearly need to spell it out: The community and the ecosystem is what made jailbreaking great, and while this very cool work done, this isn't going to usher in a new golden age of jailbreaking because the community and ecosystem isn't there.

Calling 4S through X “old” is disingenuous. Your comment made me reread the article because I thought I had misunderstood.

The "X" is two years old. That doesn't mean it's useless, but it does mean that the news doesn't carry the same weight as if it was the iPhone 11 Pro that was hacked.

The vast majority of iPhones in circulation are the X or below.

So, stated otherwise: this carries the same weight as saying about 90% (anecdotal estimate) of iPhones in circulation are jailbreakable

iPhone X is still very capable and not at all old. Is it the newest? No, but saying a two year old device is useless is disingenuous.

I did not say an X was useless, so you’re the one being disingenuous. I said it was old, which it is, and old things do not make big headlines or attract large crowds.

The X is already 2 years old. It doesn’t matter that it’s still a capable phone (using one to write this now). The heyday of jailbreaking was when Apple would release a new phone, and then the tech press watched with baited breath to see how quickly it would be hacked. It only took weeks or months, not years, and it was a collective, community effort. It made news and it stirred up a large interest in jailbreaking and the ecosystem around it.

You clearly have not looked at the state of the jailbreak community as it stands today. It’s essentially gone. Repos are filled with old junk that couldn’t run on modern OSes even if you wanted to, and the main developers have just left. And there’s no reason for them to come back. The App Store and the current iOS features cover almost everything that people need, and the effort to get the other little things is just too high.

As I said, this is interesting and possibly useful academically, but it’s not going to magically reinvigorate the jailbreak community.

I think that people are arguing, and I agree, that "2 years old" doesn't qualify in any way as "old". I'm using a 10 years old smartphone and a 6 years old laptop, and only in last year or two I started to consider that oldish, so I'll probably replace them soon.

Also, iOS is genuinely uninteresting for many people because of its locked down nature. There are whole categories of applications that won't ever pass through App Store gates. Heck, we're talking about a platform where you can't even have a different browser than what Apple provides - you can just switch browser shells. Jailbreaking definitely can bring a huge value to at least some people.

I'm an active member of the jb community and it's certainly not gone. A quick look at /r/jailbreak shows that this exploit has in fact reinvigorated not only the community but many old developers that had not been around recently. I'm not sure why you want to argue but ok buddy. Have a good day.

I think there is a lot of sense in your argument. Also worth remembering Apple have added so many features we once Jailbroke for, which makes the usefulness less for the average person.

Still though I think this will help the JB scene. It’s unlikely it won’t spur at least some new interest and momentum in the scene though.

I mostly jailbreak for shell access and ability to see what the network stack is doing (related to my work,) but a few tweaks like SwipeSelection are great additions too.

The devices this supports are already old

If anything, this will help to keep them from becoming e-waste for longer.

iPhone X is irrelevant?

I'll give the bad news to my mate who just bought one.

I love how people keep putting words on my mouth. How about you respond to what I actually said instead of constructing a straw man?

"Old" is not the same thing as "irrelevant", especially since the obvious point of my comment is the jailbreak ecosystem, not the devices. That it applies to older devices is important because that doesn't create the same kind of excitement and interest as if the iPhone 11 was hacked.

Well you relegated iPhone X jailbreaking to "mostly academic".

I think it's fair to say you called it irrelevant.

So what large developments do you expect from the iPhone X jailbreak?

Is it that hard to imagine implications? Do you need convincing?

For example, everyone's iPhone X and before being vulnerable to airport security scans. If they can root your device, they can install anything without your consent.

So reboot after going through airport security. Without the pin no data can be retrieved.

Data can be retrieved and stored. Just not decrypted, yet, as far as publicly known.

Not to mention that allowing one to install anything on your device opens up the gates for a myriad of potential security exploits.

It seems if I read the article correctly that you can't use this to capture the PIN and further unlock the data, but I don't understand how Apple can make the phone secure against that (that is assuming I have understood the article).

Sure you can. Just pop a fake pin capture screen and you’re good to go.

Isolated co-processors and memory.

If the user secret key like a pin is going through iOS, to the secure enclave, you can still run a hacked iOS which reports the stolen pin back to some server.

Typically the os would only have access to the encrypted pin, then use special secure enclave instructions to compute inside the enclave (basically special encrypted memory inside the processor). Ie the plaintext pin would never leave the enclave, even when the os kernel is compromised

If you had the chip in a lab you could do sidechannel physical attacks with lasers and liquid nitrogen, etc

I think oh_sigh means capturing it when it is entered?

> If you had the chip in a lab you could do sidechannel physical attacks with lasers and liquid nitrogen

Wow, what do you do for a living if I might ask?

You can install a modified OS which can capture the Pin. 100%.

You cannot install a modified OS and brute force the PIN or access the encrypted user data though. You have to get the user to type it in.

So you need access to the device and the user. It’s always been possible to do this with torture.


-If you are doing tracking in real time, you can see what's happening. If you want to, say, explore what happens when your phone goes to a website, you can't do that if you don't have a jailbreak because Apple doesn't give you the specific permissions that you need to see things happening at such a low level on your phone.

How is this different than MITMproxy, Burp Suite, Charles combined with setting iPhone to proxy the traffic through your machine?

Well, to accomplish that with HTTPS traffic, you'd have to tell your device to accept (for example) Burp's CA certificate. Many applications (especially sensitive applications such as banking) nowadays use certificate pinning to verify the expected certificate and prevent this kind of MITM from happening. So you'd still need to do some sort of lower-level manipulation, such as manually hooking the certificate validation functions, to even be able to get this proxying to work.

It's becoming increasingly difficult to really see what's going on without a jailbroken iPhone, or rooted Android device.

Those all depend on the phone software honoring proxy settings.

The right to repair must include the right to root.

No way. The vast majority of us want phones that are totally impregnable. I want a phone that not even Apple can access, let alone Steve down at the repair shop.

I’m normally all about right-to-repair, but with my phone I want privacy and security.

Since you also want protection from Apple, you actually don't disagree: right now, Apple can put your phone in DFU mode and "upgrade" its software to a new build which gives them not just root access (which isn't terribly useful these days) but complete control over the kernel. (They still can't steal your data unless you help, due to disk encryption, but that's an unrelated topic.) I want a phone where Apple can't do that; but I mean, someone has to be able to do that, as otherwise the software on the phone can't be upgraded. So I want the person in control of that to be me, the owner. If I so choose, I can trust Apple's software. Or I can choose to not trust Apple's software and trust software from you. This concept of software trust eventually comes down to a root certificate (just as it already does), which should be controlled by the same secure enclave as the disk encryption (so the software itself can't alter my trust roots in case of an exploit). There: not only easy to be equivalent to what you have, not only able to give people like me actual control, but more secure than the status quo (as Apple can be locked out), not less.

The way androids do it is to wipe the device on root, which sounds reasonable

(Devil's advocate) why?

> The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.

Could it be made to persist?

> Checkm8 doesn't bypass the protections offered by the Secure Enclave and Touch ID.

Could it be made to bypass the Secure Enclave?

> Could it be made to persist?

Unlikely and that'd be something Apple can patch at their leisure.

> Could it be made to bypass the Secure Enclave?

That's not how this works. The Secure Enclave generates and stores asymmetric encryption keys and exposes an interface to perform various operations with these keys. Retrieving the keys is not possible. You'd need a separate vulnerability in Secure Enclave. Once you found a Secure Enclave exploit you need to run it, yes and iOS does not want you to run it yes, but let's face it: anyone having the mastery to break the Secure Enclave is more than likely to have an entire stash of iOS zerodays...

> Could it be made to persist?

I don't think persistence is necessary. How often do people actually power off their smartphone? What most people think of as the "power button" only locks the screen (and puts the CPU into a "suspend" state to save power). Most people would have an "uptime" of months on their smartphone.

How often do people actually power off their smartphone?

If you have iOS with auto-updates on, then it can reboot several times a year when Apple releases point updates. Or at least once a year when the new big version of iOS comes out.

(Unless I'm mistaken and iPhones no longer reboot on point updates anymore, but I'm pretty sure they still do.)

Not an issue because the attacker can disable these updates.

If you’re in the Beta program, you might get a new OS point-release installed (thus restarting your phone) every few days at some points (such as at new-major-release RC time.)

I know, N=1 but I turn off my phone completely every night.

Out of curiosity, why?

  - Part out of habit (since way before 'Do not disturb' mode), I want no disturbances when I sleep.
  - Because it saves battery/energy
  - No connected device in the bedroom (OK, I got a Kindle)
  - I (honestly) don't see any sense in having my phone run for ~7 hours while I'm asleep
Why do you not turn off yours?

On new devices it hardly saves any battery because iOS (or maybe just the latest iPhones) have become wickedly good about preserving battery when idle.

Sure, but I’m a) still really happy with my iPhone SE and b) think it’s unnecessary to leave it in while sleeping.

the obvious reasons would be, to be reachable in case of emergency and as an alarm clock.

Sure, that makes sense. I hope my peers don’t call me, but emergency services if something bad happens. And my immediate family is at home with me. And I have an alarm clock on the bedside table ;)

With further exploits, possibly, but not with Checkm8 alone.

The lack of persistence could be worked around by a small enough device disguised as a phone charger. A sufficiently motivated actor could use a human asset to plant/replace such chargers at a target’s home/work.

You have to put the phone into DFU mode. Yes, this is a serious flaw, but in the last 24h the overreactions have already become the stuff of legends.

The exploit requires the device to be put into DFU mode first and can’t be triggered by connecting a cable alone.

From the article:

You have to have a cable connected to your device and put your device into DFU mode, and that requires you to hold buttons for a couple seconds in a correct way

The exploit doesn’t work just by powering on with a hacked USB device, you have to boot in DFU mode, which requires holding a specific combination of buttons as it’s powered on. The article covers this.

It’d surprise me if you couldn’t embed the necessary hardware required to run this inside a USB cable.

> Could it be made to bypass the Secure Enclave?

Well, drilling each individual chip is not economical, but doable. Usually it only meant to get something out, not in.

So it is necessary to know a device's PIN to apply this jailbreak?

The article refers to Secure Enclave and how its protection cannot be bypassed, but it's unclear whether the PIN itself (and entering the DFU mode) is protected by the Secure Enclave.

The PIN is not stored anywhere on the device. It is validated by the Secure Enclave but cannot be recalled. So this attack vector would need to involve flashing a malicious iOS clone that would boot normally and ask the user to enter their PIN/TouchID normally before activating malicious functions.

The PIN isn’t protected by the Secure Enclave. The PIN is what protects it. The SE protects cryptographic keys.

If apple knew about this exploit (given the patched the boot ROM on the newer phones), will iPhones that ship after a certain date have this fixed?

Potential business opportunity - iPhone "virus scanner" device or service?

Can't wait for the bloatware iOS antiviruses!

This is probably the same exploit used by three letter agencies to get into locked iDevices. It was known long before checkm8 became public.

Afaics it doesn’t get you on locked devices. You can install custom firmware, but you’d still need the passcode or face/finger to unlock the actual content.

> Afaics it doesn’t get you on locked devices. You can install custom firmware, but you’d still need the passcode or face/finger to unlock the actual content.

It opens the door for an evil maid attack though. Replace firmware of target and once unlocked exfil the data. Since most people don't regularly turn off their phones in my experience, this attack would probably be successful against most users.

Let's play out this scenario. Someone has to take your phone without you knowing and load some exfil software. This requires focused targeting of people who are not most users. Heads of state, journalists, etc... would just reboot the phone anytime it leaves their possession. Additionally, those users are who are likely targets would just get a newer phone.

The reality is that right now, Checkm8 is great for jailbreakers of older phones and not much else.

Good points. As a complete aside, your comment brought to mind one more group that might benefit: those in a relationship with someone whom they suspect is cheating on them.

For older phones it would, though there were maybe other exploits available as well? From the first page of the interview:

> Before Apple introduced the Secure Enclave and Touch ID in 2013, you didn't have advanced security protections. So, for example, the [San Bernardino gun man's] phone that was famously unlocked [by the FBI]—the iPhone 5c— that didn't have Secure Enclave. So in that case, this vulnerability would allow you to very quickly get the PIN and get access to all the data. But for pretty much all current phones, from iPhone 6 to iPhone 8, there is a Secure Enclave that protects your data if you don't have the PIN.

> * Checkm8 doesn't bypass the protections offered by the Secure Enclave and Touch ID. All of the above means people will be able to use Checkm8 to install malware only under very limited circumstances.

> * The above also means that Checkm8 is unlikely to make it easier for people who find, steal or confiscate a vulnerable iPhone, but don't have the unlock PIN, to access the data stored on it.

Apparently, this is not the same exploit.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact