Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


iPhone JailBreak Flaws

With iOS 13 recently being released, new iPhone jailbreak tools have been developed that have some disturbing flaws. The latest jailbreaking exploit, dubbed Checkm8, targets iOS devices that range from iPhone 4S to iPhone X. A jailbreak involves the use of exploits to remove the manufacture’s built-in restrictions. The exploit normally involves running a privilege escalation attack on the targeted iOS device to replace it with a custom kernel. Some of the prominent tools include: Uncover, a semi-untethered tool that supports almost all iPhones and iPads running iOS 12 and provides the ability to reboot an iOS device on its own; Chimera, a semi-untethered jailbreak for iOS devices that have A7-A11 processors; Electra, which is for devices running iOS 11.0-11.4.1; Posixspwn, an untethered tool for devices running version 6.13-6.16; and Evasion, which is for iOS version 6.0-6.1.2. Checkm8, the newest jailbreaking tool, is designed to work on iPhone 4S through the iPhone X. This new exploit is an unpatchable bootrom for hundreds of millions of iOS devices. Checkm8 can only be exploited by having physical access to the device as well as needing to be tethered to a host computer. These steps alone prevent drive-by attacks and anyone who would want to exploit a device would have to find someone who is careless about their phone and leaves it sitting unattended. Furthermore, because of the “Secure Bootchain” that Apple has in place on their devices, it will not let a device that has been infected with malware boot because it does not pass the checks that the Secure Bootchain has in place. These two pieces alone make it extremely difficult for this flaw to be exploited by malicious actors. In the case of law enforcement, it is possible that they could use this to bypass a security PIN on a device, but it will only work on devices that do not have Secure Enclave and Touch ID. This will only work on devices iPhone5c and older which are the models before Secure Enclave.

Analyst Notes

Not only does jailbreaking your iOS device invalidate any warranty from the manufacturer, but Checkm8 is also permanent and cannot be reverted to original programming. The vulnerabilities that come with Checkm8 are unable to be exploited wirelessly, but if an attacker gained physical access to the device then they will be able to gain unfettered access to the device. The primary recommendation is to simply not attempt to jailbreak your device and keep the manufacturer’s programming intact, and to always set a PIN or other locking mechanism to keep your iPhone locked when it is not in your possession.