Unpatchable bug in millions of iOS devices exploited, developer claims

Enlarge / Devices as recent as the iPhone X, based on Apple's A11 chip, are claimed to be vulnerable to a new boot ROM attack revealed today. (credit: SOPA Images / Getty Images)

Today, an iOS security researcher who earlier developed software to "jailbreak" older Apple iOS devices posted a new software tool that he claims uses a "permanent unpatchable bootrom exploit" that could bypass boot security for millions of Apple devices, from the iPhone 4S to the iPhone X. The developer, who goes by axi0mX on Twitter and GitHub, posted via Twitter, "This is possibly the biggest news in iOS jailbreak community in years. I am releasing my exploit for free for the benefit of iOS jailbreak and security research community."

The exploit has not yet been turned into a kit for jailbreaking the phone, something that requires specialized hardware and software. But it does provide a gateway for other attacks against the security of the device, allowing boot-level access to the phone's internal software.

EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.

Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG

- axi0mX (@axi0mX) September 27, 2019

"What I am releasing today is not a full jailbreak with Cydia [an alternative package manager for jailbroken iOS devices], just an exploit," axi0mX wrote. "Researchers and developers can use it to dump SecureROM [the boot ROM code], decrypt keybags [the escrow memory with the keys for all encrypted data on the device] with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG." (JTAG is "Joint Test Action Group," an interface used for verifying printed circuit boards sometimes leveraged in forensic examination of smartphones.)

Read 3 remaining paragraphs | Comments