Photo by James Bareham / The Verge
A newly announced iOS exploit could lead to a permanent, unblockable jailbreak on hundreds of millions of iPhones, according to researcher axi0mX who discovered it. Dubbed “checkm8,” the exploit is a bootrom vulnerability that could give hackers deep access to iOS devices on a level that Apple would be unable to block or patch out with a future software update. That would make it one of the biggest developments in the iPhone hacking community in years.
EPIC JAILBREAK: Introducing checkm8 (read “checkmate”), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG— axi0mX (@axi0mX) September 27, 2019
The exploit is specifically a bootrom exploit, meaning it’s taking advantage of a security vulnerability in the initial code that iOS devices load when they boot up. And since it’s ROM (read-only memory), it can’t be overwritten or patched by Apple through a software update, so it’s here to stay. It’s the first bootrom-level exploit publicly released for an iOS device since the iPhone 4, which was released almost a decade ago.
In a follow-up tweet, axi0mX explained that they released the exploit to the public because a “bootrom exploit for older devices makes iOS better for everyone. Jailbreakers and tweak developers will be able to jailbreak their phones on latest version, and they will not need to stay on older iOS versions waiting for a jailbreak. They will be safer.”
There’s no actual jailbreak yet
Hundreds of millions of iPhone devices are affected by the exploit: any device starting with an iPhone 4S (A5 chip) through the iPhone 8 and iPhone X (A11 chip) is vulnerable, although it appears that Apple patched the flaw in last year’s A12 processors, meaning that iPhone XS / XR and 11 / 11 Pro devices won’t be affected.
Apple did not respond to a request for comment.
It’s still very early days for the checkm8 exploit. There’s no actual jailbreak yet, meaning that you can’t simply download a tool, crack your device, and start downloading apps and modifications to iOS.
Crucially, the vulnerability is also what jailbreakers refer to as a “tethered” exploit for now, meaning that it can only be triggered over USB. It would also have to be enabled each time through a computer, which limits the usefulness for a practical jailbreak right now. It’s possible that the exploit will lead an “untethered” jailbreak.
The possibilities are nearly endless — in theory
That said, assuming developers are able to use checkm8 as a starting point into iOS (which is a very big “if” right now), the possibilities are nearly endless: permanently jailbroken devices that won’t be reverted back due to Apple software updates or revoked signatures, downgradable iOS devices that could be easily rolled back to previous versions of the software, dual-booting between multiple versions of iOS, and more.
There are also security concerns. Nefarious actors could use the vulnerability to circumvent Apple’s iCloud account locks, which are used to render stolen or lost devices useless, or to install poisoned versions of iOS that steal user information. While Apple can patch the bootrom for its newer devices, the hundreds of millions of iPhones already out there can’t be patched without replacing hardware.
The iPhone jailbreaking scene isn’t nearly as big of a place as it once was, however. Back in the early days of the iPhone, cracking Apple’s devices to install custom software was far more appealing. Back then, there was no way to install third-party apps, and basic features — like customizable wallpapers for the home screen, simple multitasking, or the ability to copy and paste text — were missing, leaving jailbreaking as the only way to get those features. As time went on, iOS got more feature complete, giving most users less of a reason to jailbreak, and Apple got better at quashing the security holes that would allow developers to jailbreak phones.
The value of iOS exploits has also risen greatly, with Apple’s bug bounty program paying for exploits and shadier groups looking to use them to hack iOS devices. That means there’s less incentive for developers who do find jailbreakable exploits to release them. (A recent “flood” of exploits has pushed the price down on iOS exploits to a mere $2 million, compared to $2.5 million on Android.)
checkm8 might be the spark the jailbreaking community needed
There’s still an active community of users who insist on having total control over their phones and tablets, but a combination of less demand for the benefits of jailbreaking and lack of major exploits (especially for newer devices / versions of iOS) has led to some stagnation in the community. Plus, there are now new alternatives like AltStore, a recently launched workaround for installing unsanctioned apps on iOS devices without the hassle of jailbreaking at all.
The new exploit isn’t the only recent development in the jailbreaking space. Over the summer, Apple accidentally unpatched a vulnerability in iOS, opening up modern devices for jailbreaks for the first time in years. And while the hole was quickly patched, it sparked a surge in jailbreaking iPhones.
It’s too early to say whether the checkm8 will lead to a new golden age for hackable iPhones, although many members of the jailbreak subreddit are extremely optimistic. One user proclaimed that is is “literally the biggest thing to ever happen in Jailbreaking” due to the scope of the exploit. Either way, given the nature of the exploit and the extent of the devices it impacts, it’ll be something to monitor going forward.