The cat-and-mouse game between Apple and hackers has continued for years with small victories on each side, but hackers appear to have scored an atypically large win this morning: a permanent and unpatchable bootrom exploit for all iPhones and iPads using A5, A6, A7, A8, A9, A10, and A11 series processors — a range covering everything from 2011’s iPhone 4S through 2017’s iPhone 8 and iPhone X.
iOS security researcher Axi0mX publicly released the Checkm8 exploit this morning as a free open source jailbreaking tool, promising that it will even work on phones running the latest versions of iOS. A similar technique has been used by Cellbrite and Grayshift to hack iPhones for surveillance purposes, leading Apple to protect newer iPhones against the exploit with more secure A12 Bionic and A13 Bionic chips.
There are limitations. The iOS device needs to be physically connected via USB for the initial jailbreak, and the exploit doesn’t work remotely. Axi0mX also notes that it isn’t “perfectly reliable yet,” and has only been tested on a MacBook Pro.
But as of now, it can be used to decrypt an iOS device’s keys, dump SecureROM, and enable JTAG testing access. Going forward, it’s expected to enable downgrading to older iOS versions, dual-booting of OSes on jailbroken devices, and a full bypass of iCloud security measures.
Despite the potential impact on “hundreds of millions of iOS devices,” Axi0mX suggests that the exploit “makes iOS better for everyone,” as it will enable jailbreakers to use newer and more secure iOS releases, and increase the rapid reporting of other vulnerabilities to Apple. Apple now offers bug bounties of up to $1 million for serious unaddressed issues.