A security researcher has released today a new jailbreak that impacts all iOS devices running on A5 to A11 chipsets — chips included in all Apple products released between 2011 and 2017. This includes iPhone models from 4S to 8 and X.
The jailbreak uses a new exploit named Checkm8 that exploits vulnerabilities in Apple’s Bootrom (secure boot ROM) to grant phone owners full control over their device.
Axi0mX, the security researcher who published Checkm8 today, told ZDNet he’d worked on the jailbreak all year.
On Twitter, he described Checkm8 as “a permanent unpatchable bootrom exploit,” making the Checkm8 jailbreak one of the most extensive and efficient rooting tools of its kind.
The researcher’s jailbreak sits in a class of its own. Most jailbreaks use vulnerabilities in the iOS operating system and its components to give users control over their devices.
Bootrom jailbreaks are very rare. They are the most highly sought after jailbreaks because they are permanent and can’t be patched. Fixing any Bootrom vulnerability requires a silicon revision, meaning physical modifications to device chipsets, something that no company can fix without callbacks or mass replacements. In effect, this is a permanent jailbreak that will work in perpetuity.
The last Bootrom-based jailbreak was released in 2009, making the Checkm8 exploit even a more remarkable achievement since many thought Apple managed to secure its boot-up process.
Axi0mX’s jailbreak is available on GitHub. The code is marked as a “beta” release. Most jailbreaking exploits are usually packaged in easy to use tools. For the moment, Checkm8 is in a very raw form and it isn’t recommended for users without proper technical skills as it could easily brick devices.
The jailbreak does not work on Apple’s latest two A12 and A13 chipsets, and as Axi0mX told ZDNet, there are also kinks to be ironed out on older devices.
“I don’t have it working on some older devices yet, like iPhone 4S, but I believe it is possible with a bit more effort,” Axi0mX told ZDNet earlier today.
There are also downsides to Checkm8’s publication. Besides allowing users to jailbreak devices, the exploit can also be used by threat actors to root devices. The good news is that the jailbreak needs physical access to the device, so, at least, it can’t be used remotely. Nevertheless, since it’s an unpatchable issue, it’s a security risk that iOS users should be aware, and an incentive to upgrade to newer handsets.