This Hacker May Have Found a Way to Permanently Jailbreak Your iPhone
The demise of jailbreaking has arguably been mostly the result of Apple adding features to iOS that were once only possible through jailbreaking, which has made jailbreaking less necessary and even less desirable, especially considering that it opened up the iPhone to all sorts of security issues by removing the built-in protections of iOS.
On top of that, Apple never condoned the behaviour in the first place, and has played a cat-and-mouse game with the jailbreaking community for years, with each new iOS release — even minor ones — creating new obstacles for hackers to overcome. Apple has gradually been winning this battle as it tightens the hardware and software security with each new iPhone and iOS release, and over the past few years it’s reached the point where for most folks, the benefits to be gained from jailbreaking just aren’t worth the effort required to do so.
That said, Apple ironically opened the door to jailbreakers again earlier this year by unpatching a bug when it released iOS 12.4, but the victory was short lived after a subsequent iOS 12.4.1 release slammed the door again. In reality, however, at this point it’s safe to say that very few people outside of the security research community actually cared.
The Holy Grail of Jailbreaking
The number one challenge that was always faced by the jailbreaking community was that each time they discovered a way to jailbreak an iPhone, Apple would quickly close it in the next iOS update, putting them back to square one in finding another.
Recently, however, it seems a researcher has discovered a new exploit in a whole range of iPhone models that would have once been the holy grail of jailbreaking — a way to permanently jailbreak an iPhone, regardless of what iOS version it’s running. In other words, rather than an iOS update overwriting the jailbreak, the iPhone in question could remain jailbroken after applying even major iOS updates.
The researcher, who goes by the handle axi0mX, has dubbed the new exploit checkm8, and describes it as “a permanent unwatchable bootrom exploit for hundreds of millions of iOS devices.”
Specifically, he notes that pretty much every device running an A-series chip from the A5 to the A11 is vulnerable, which in practical terms means all iPhones from the 2011 iPhone 4S to the 2017 iPhone X, along with related iPad and iPod touch devices that would include even this year’s seventh-generation iPod touch and 10.2-inch iPad Pro, both of which still use an A10.
Further, as a boot ROM exploit, the version of iOS being used is irrelevant, and axi0mX subsequently demonstrated how he had applied the technique to an iPhone X running iOS 13.1.1 — a version of Apple’s operating system that it less than three days old.
The researcher notes that it took him less than two seconds to jailbreak it using checkm8, and was then able to make it boot up in verbose mode, something that definitely isn’t possible on a stock iPhone.
What This Means For You
As The Verge explains, the exploit used for this jailbreaking technique relies on a security vulnerability that exists in the boot ROM — the read only memory chip that’s used to start up your iPhone, iPad, or iPod touch so that it can subsequently load iOS from the flash memory storage. The exploit works to create a “permanent” jailbreak because it’s in a read-only memory chip, which means Apple has no way of patching the vulnerability.
The researcher, axi0mX, explained that the exploit was released to “make iOS better for everyone” as those users who still want to jailbreak their devices will no longer have to remain on an older iOS version which would be more vulnerable to other security exploits.
However, at this point the method is only a proof of concept, and there’s no actual public jailbreak available yet, which means you won’t be able to download a tool to do this yourself, although presumably that will be coming at some point.
While a security vulnerability like this would normally make us nervous, this one is a “tethered” exploit, which means that there’s no way to take advantage of it remotely. To apply it, you would have to connect your iPhone to a computer over a direct USB connection, and as things stand right now, it also has to be re-enabled each time via a USB connection.
This limits its current usefulness as a jailbreaking method until it’s further developed, but most importantly it means that you don’t have to worry about random hackers taking control of your iPhone remotely — they would not only need physical possession of your device, but also a computer nearby to plug it into. However, we could certainly see this becoming a useful tool for law enforcement to access otherwise-locked iPhones as part of ongoing investigations, as well as the possibility for thieves to bypass Apple’s Activation Lock feature on stolen devices.
At this point, however, it’s little more than an exploit with theoretical applications, and it appears the vulnerability doesn’t exist in the A12 or A13 chips, which means iPhone XS, iPhone XR, and iPhone 11 models are all safe — for now at least.