Apple’s iPhone 5c, the last without a Secure Enclave
On Friday morning, hacker axi0mX revealed the “Checkm8” exploit. For the first time in nearly a decade, this particular vector is aimed at the boot ROM in an iPhone or iPad, as opposed to trying to pry open the iOS software.
A series of tweets broke down the exploit —and spelled out some limitations and answers about the exploit. Cue Internet drama.
EPIC JAILBREAK: Introducing checkm8 (read “checkmate”), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG
— axi0mX (@axi0mX) September 27, 2019
User vulnerability?
The Checkm8 exploit isn’t a drive-by attack. A user can’t visit a website and be targeted for malware installation. The exploit isn’t persistent, meaning that every time the iPhone is rebooted, the attack vector is closed again.
Earlier iPhones, from the iPhone 5c and earlier, lack a Secure Enclave. If you surrender access to your phone, a dedicated assailant can extract your iPhone PIN. But, phones with a Secure Enclave —everything from the iPhone 5s and on —cannot be attacked in such a manner.
Furthermore, the exploit is tethered. That means that an iPhone or iPad needs to be connected to a host computer, put into DFU mode, and exploited that way —and the exploit doesn’t always work, relying on a “race condition” according to Checkm8.
Software like keyloggers or other malware could theoretically be installed following an attack. But, other mechanisms that Apple has put into place will defeat that, following a device reboot.
Apple has implemented what’s called a “Secure bootchain.” In short, there are steps at every part of iOS software implication that check the integrity of the previous step —and some that check the next step —to be sure that the phone is safe. The secure bootchain checks wouldn’t allow software that doesn’t comply to function after a hard reboot of an iPhone.
We’ve gleaned this information above from Apple in the hours following the exploit’s release. The developer axi0mX confirmed these findings, and discussed the implications further in an Ars Technica interview on Saturday morning.
All this said, in short, a user has to either specifically want to do this procedure to their iPhone and take the steps to execute them, or be careless with device physical security and be specifically targeted by an assailant for it to be of any real concern.
If you’re really worried about it, it’s time to ditch the iPhone 5c or older that you may be hanging on to. And, you can always completely shut down your iPhone after you’ve left it unattended for any period of time.
A reboot will not just flush out the exploit, but also break any software that may have been installed in your absence.
Jailbreaking is fine!
We’re not opposed to jailbreaking here at AppleInsider. A few staffers have done it in the past.
AppleInsider doesn’t generally cover jailbreak exploits. In the cat-and-mouse game that is constantly raging between Apple and the jailbreak community, information published today is often outdated tomorrow. This isn’t much different than that in actuality, but it got a much wider audience outside of the tech media.
In that media, in the very few hours after the Checkm8 exploit was revealed, there has been a lot of fear, paranoia, and finger-pointing done across the internet. There is no real reason for it at all. Fortunately, as of yet, there haven’t been any “nasty secret” style headlines regarding this matter. We’re sure that some content management system someplace has one stored, though, and we’re also pretty sure we know who’s going to do it first.
Most of the headlines are right. This is a big deal for the jailbreak community. We don’t think it’s a bad thing at all. Because of limitations for assailants, it just makes no difference to nearly every iPhone or iPad user outside of that community, though.
If you take anything away from this, it should be that your are no less safe today from the reveal of Checkm8 than you were yesterday, or the day before, or four years ago. Malware can’t exploit it at all, and if you maintain physical security of your iPhone 5S and newer, then your passcode —and your data —remains safe.