Security Week 40: Apple Mobile BootROM Vulnerability

Depending on your preferences for this news, you can choose one of two headlines. Either "a serious vulnerability was found in Apple mobile devices up to the iPhone X", or "finally came up with a new way to jailbreak iDevices (but this is not accurate)." As for the jailbreak, the truth is still not clear (although with high probability new methods of hacking iPhones will appear), but the vulnerability seems to be real. The hacker, known as axi0mX, has freely available an exploit for a bug in BootRom of a number of Apple mobile devices. There are still few details about the vulnerability, it is only known that a certain race condition is being exploited. But the most important thing is that for the first time in a long time, the vulnerability was found in the code that is used to boot the device and is stored in ROM, that is, a patch cannot be released to it.



An exploit called checkm8 (read as checkmate, “checkmate”) is not capable of anything by itself: it only allows you to execute arbitrary code during the phone’s boot process. What this code will do next is a big question, since BootRom, although important, is not the only mechanism for protecting Apple’s mobile devices. It is well known that direct access to the user's personal data will not work - the Secure Enclave exploit system does not bypass. In general, this is bad news, good news, bad news. The bad news: there is a bug where it cannot be repaired. The good news is that user data is most likely safe. The bad news is: combining this vulnerability with others could theoretically give great opportunities to both peaceful iOS security researchers and attackers.



You can learn more about the vulnerability in this news, in an interview with the exploit author ArsTechnica and on the github .



On Github, the chekm8 exploit is available as part of a utility for flashing Apple devices, along with an earlier creation by the same author, the alloc8 exploit for iPhone 3Gs, which was published in 2017. It is clear that the exploit for the 2009 device in 2017 was of purely theoretical interest, but, unlike checkm8, it was permanent (tethered), that is, the ability to execute arbitrary code (and complete jailbreak of the device) remains after reboot. Checkm8 does not have such a feature: after a reboot, it turns into a pumpkin, it requires a second hacking of the device, which must be connected to the computer and put into firmware recovery mode. From here, another characteristic of the vulnerability is derived: it cannot be exploited remotely.







In an interview with ArsTechnica, the exploit author speaks more carefully than on Twitter. He answers almost all journalists' questions: “maybe” and “depends on circumstances”. Only the list of susceptible devices is precisely defined: these are all Apple mobile devices, starting with iPhone 4 and ending with iPhone X. Although it will be right to talk about SoC versions: almost all are affected up to A11, excluding only the most modern smartphones and tablets based on A12 and A13 The Arstechnica article also mentions that a bug is present in the Apple Watch. Successful exploitation of the vulnerability allows you to at least decrypt the device’s boot code and enable the debugging interface (JTAG).



The axi0mX hacker on Twitter talks about the incredible benefits of such an exploit for Apple device security researchers. And perhaps the “benefit” (if it is right to talk about a vulnerability published bypassing the vendor) will only be appreciated by researchers. So far, there is no full-fledged jailbreak of any of the affected devices that allows you to obtain superuser rights in iOS and install an alternative Cydia application store.







The exploit, as we have already mentioned, also does not give guarantees of access to data on the device. Therefore, its value to government bodies and anyone who wants to receive information from a locked device without the knowledge of the user is doubtful. Those involved in forensic examination of devices probably have other ways of obtaining information, and, as was recently shown , they may turn out to be simpler than a freshly discovered exploit. The list of features from the tweet above (flashing the device to any other version of iOS, downloading alternative iOS, brute force user password) are more likely potential consequences, rather than harsh reality.







However, let's see. Two days after the first publication, axi0mX uploaded a video in which it shows loading the latest version of iOS in verbose mode. In itself, this also does not prove anything, but suggests that specialists will now have something to do. The recommendations (captain, but still important) are as follows: if you are a paranoid dissident politician who wants to protect your data on iPhone as much as possible, it's time to buy a device fresher that is not vulnerable to this vulnerability. Set not a simple passcode from numbers, but a full password with a combination of numbers, letters and special characters. This will make brute force difficult, even if the opportunity arises for its holding. Everyone else should not worry yet: Apple is quite capable of reducing the potential of an unclosed vulnerability in ROM where software can be updated. Despite the victorious tone of the messages, even the author of the exploit himself admits that Apple is at its best. I wonder if this attitude will change due to new discoveries that researchers will make using the exploit. Apparently, learning Apple’s iOS code without Apple’s sanction is an almost perfect tool.



Disclaimer: The opinions expressed in this digest may not coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.