A researcher specializing in iOS security claims to have created a bootrom exploit that can be leveraged to jailbreak hundreds of millions of iOS devices, including all iPhones between iPhone 4S and iPhone X.
The hacker, who uses the online moniker axi0mX, has released the exploit for free in hopes that it would benefit security researchers and the iOS jailbreak community. He has described it as a “permanent unpatchable bootrom exploit” that is “possibly the biggest news in iOS jailbreak community in years.”
The exploit, dubbed Checkm8, is not a full jailbreak in itself, but it can be used to jailbreak devices with Apple processors ranging from A5 (introduced in 2011 with the release of the iPad 2 and the iPhone 4S) to A11 (introduced in 2017 with the release of the iPhone 8 and iPhone X). Devices with A12 and A13 processors, which are present in the iPhone XS and XR, the 2019 iPad Air, and iPhone 11, do not appear to be impacted.
axi0mX says the exploit, which leverages a race condition, is “not perfectly reliable yet” and it cannot be exploited remotely. Exploitation can be conducted over USB by having physical access to the targeted device.
The researcher claims to have discovered it after analyzing an iOS update released by Apple roughly one year ago, which patched a critical use-after-free vulnerability in iBoot USB. axi0mX notes that the vulnerability is not easy to exploit on most devices.
“A bootrom exploit for older devices makes iOS better for everyone. Jailbreakers and tweak developers will be able to jailbreak their phones on latest version, and they will not need to stay on older iOS versions waiting for a jailbreak. They will be safer,” axi0mX said on Twitter after releasing the exploit.
He added, “It will also be better for security researchers interested in Apple’s Bug Bounty. They will not need to keep vulnerabilities on hand so that they have access they need for their research. More vulnerabilities might get reported to Apple right away.”
Vulnerabilities in the bootrom (also known as SecureROM) are impossible to patch using a software or firmware update due to the fact that the bootrom is read-only.
The source code of the Checkm8 exploit has been made public by the researcher on GitHub.
SecurityWeek has reached out to Apple for comment and will update this article if the tech giant responds.