This is an original research, please mention me or link this post if you forward this article to any other medium.
Unlike other articles which are for pro-users and developers. I will try to explain as detailed as I can in this article since it’s a very serious security issue for most iOS users. In Sep. 2019, security researcher @axi0mX found an epic exploit of most iOS devices, which named “checkm8”. It’s a bootrom exploit, which can’t be patched with any future iOS software updates.
And few days ago, the first jailbreak tool which based on checkm8 exploit was released, the tool is “checkra1n”.
What’s bootrom exploit? It’s a exploit which is embed in the hardware, which means that it’s impossible to be patched in the future with any software update. And the bootrom exploit checkm8 effects hundreds of million devices. For example, any iPhone released before iPhone XS are effected. Not only iPhones, but also any iPads, iPod touches, Apple Watches, Apple TVs and even HomePods that with specific CPU chips all have this exploit.
Before the checkra1n jailbreak tool released, to steal privacy data from one’s iOS devices, you need to let the victim install spyware with some tricks (like phishing), or get the device physically and patch the passcode. It’s very difficult to bypass the passcode of iOS, even FBI couldn’t hack that before. And for the most serious exploit: “remote jailbreak”, a company even pay $2 million for these kind of vulnerabilities. So you can know that it’s very difficult to monitor a victim’s iOS device before.
After a checkm8 based jailbreak tool (like checkra1n) released, it’s very easy to get any data on effected devices if the attacker can get your iPhone for few minutes, or the attacker even can install malware/spyware on the victim device without any permission/passcode. Although the spyware won’t be work after rebooting the device, we can ask ourselves: “What’s the last time that you rebooted your iPhone?”. For me, once my iPhone stayed on for more than 40 days, so it’s possible to monitor the victim’s device for a long while with one-time attacking.
Currently, you need to connect your device to a Mac computer to jailbreak. However it’s possible to make a small device (dongle) which can run the exploit and steal data automatically. You can imagine, in the future, the attacker can get the victim’s iPhone when he/she go to the toilet and leave the iPhone on the table. And then, attacker just insert a USB-disk like device, which can install malware or get access of victim’s file list without passcode.
To evaluate this, I did an experiment today. I used an iPhone 6s plus and run the checkra1n tool. After jailbreaking successfully, I can see the list files that are stored in these devices, without their passcode.
The steps of my experiment:
- Restore the iPhone with DFU mode, to iOS 13.2.2
- Setup the iPhone without connecting to my computer
- Setup iCloud, Touch ID, passcode and Find My iPhone
- Install an application from AppStore
- Reboot to DFU mode and use checkra1n to jailbreak
- No passcode entered for the following steps (7 & 8)
- Try to access photos, I found that I can’t read photo data, but I can list them
- Try to remount root disk and write a file to root successfully
There are some conclusions from my experiment:
- Attackers don’t need to enter passcode and you can list user data directly
- Attackers don’t need to trust the connection between iOS device and the computer
- Although attackers can’t read user data directly, it’s possible to put malware to root disk
- Attackers can list user data (in App sandbox). If you have a document management app and you have a document with sensitive file name, it’s enough for attacker to get some information.
- Attackers can wait for next chance, because user data protection only available before entering passcode after rebooting. After the victim unlock his/her device and lock it again, attacker can really read user data without passcode.
If you are a very important person like a government officials, or holding very sensitive information, I strongly recommend you to change your iOS device if you are still using effected devices. For every users, if you lost your iOS device, I recommend you just wipe it on iCloud because you never know whether the thief or someone whom get your device would try to access your privacy data or not.
One more thing, the exploit requires your iOS device in a special mode called “DFU mode”, it’s not very possible to get into DFU mode for daily usage. So it’s still safe to use other person’s cables or accessories without “trust” the connection. But once the attacker can get your device physically, your data would be in dangerous. Also, if you trusted the connection between your device and the accessory, it means that you allow the accessory to access your data, no matter the device you use, no matter whether there’s any exploits. So, never click “trust” on your device when you charge your iOS device with a charger which is not yours.
How to protect your data?
- If you are very important person whom holding sensitive information, I recommend you upgrade your iOS device to iPhone XS or above
- If you go to somewhere and leave your iOS device, please make sure that your device is not rebooted after you come back. Or it might be attacked and the attacker is waiting for you to unlock your device.
- When you lost your iOS device, please make sure that you don’t have any file with sensitive file name, or you should wipe your iOS device remotely on iCloud.
- Never tap “trust” when you connect any cables or accessories which is not yours.
PS. Apple must know the exploit at least about 2 years ago since they patched this on iPhone XS / iPhone XR. But they published new devices with the bottom exploit (iPod touch 7, and the iPad 7th generation which released 2 months (Sep. 2019) before)…
Thanks Mowd, Jacob, Garynil lent me their devices, thanks littlesocks for her suggestions of this article, and thanks for Birkhoff Lee for advice of the experiment. This research can’t be done without their help.