• BLOG
  • Checkm8 Apple iOS Forever Day Exploit Explained

Here’s what we know about checkm8 aka “forever-day” exploit!

October 01, 2019
checkm8 exploit on iPhones

Introduction

On Sept 27, 2019, a security researcher who goes by the handle Axi0mX published an exploit, called checkm8, that he claims uses flaws in Apple’s Boot ROM software to bypass boot security.

https://twitter.com/axi0mX/status/1177544174163263489

The researcher states that checkm8 doesn't bypass the protections offered by the Secure Enclave and Touch ID.

https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains- why-idevice-jailbreak-exploit-is-a-game-changer/

This exploit does not affect or impair MobileIron's products.

 

Vulnerability Information

The researcher claims that checkm8 exploits a race condition to defeat the Secure Boot chain, and that it is not entirely reliable. In its current development, it is not a remote exploit, as it can only be executed by connecting the iOS device to a computer over USB.

The researcher has published code meant for researchers and developers who can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.

To reiterate, this is not a Jailbreak. As the Boot ROM can’t be updated after the device is manufactured, the author calls checkm8 a “permanent unpatchable Boot ROM” exploit or “forever-day” exploit.

 

Affected Components

The researcher claims in his announcement on Twitter that the system-on-a-chip (SoC) in iPhones from 4S (A5 chip) to iPhone X (A11 chip), released between 2011 and 2017 are vulnerable. He also writes that Apple devices with these chips like the iPad and iPod Touch are also affected.

 

Our Take

With all the caveats that exist with the checkm8 exploit, having a unified endpoint management (UEM) solution with mobile threat defense (MTD) installed on an iDevice is critical for a few reasons. First, UEM can enforce a complex alphanumeric passcode to access the device. Second, the iOS restriction to allow USB restricted mode prevents USB accessories that plug into the Lightning port from making data connections with an iDevice (iPhone, iPad, or iPod) if your iOS device has been locked for over an hour. This blocks tools used by hackers and law enforcement to crack passcodes and circumvent Apple’s encryption and built-in measures designed to protect the user’s private data. This can be applied to Supervised devices.

When a full jailbreak is created, MobileIron UEM will be able to detect the device health is out of compliance and halt the enrollment process preventing the provisioning of VPN, WiFi, email, identity certificates, managed apps, and content onto the device. MobileIron Threat Defense (MTD) will also be able to detect the Jailbreak state and quickly remediate any UEM-provisioned settings on the device via quarantine or selective wipe compliance actions after the device has enrolled to UEM. Access to enterprise and cloud resources will also be blocked.

If the Cydia or Sileo apps are installed on the device as a third-party app store for rooted apps, the UEM admin can blacklist them and prevent them from running on the device. MTD will flag these apps as a sideloaded app threat (not downloaded from the iOS App Store) and classify them as a Suspicious iOS app threat. If Cydia or Silio installs a configuration profile, MTD will detect that a suspicious profile was installed on the device. All these threats can trigger a quarantine or selective wipe compliance action.

We’ll continue to monitor new developments in the checkm8 exploit. If you’d like to learn more about MobileIron UEM, please visit here.

James Saturnio

James Saturnio, Senior Solutions Architect at MobileIron

About the author

James Saturnio is a Senior Solutions Architect for the Technical Marketing Engineering team at MobileIron. He immerses himself in all things cybersecurity with equal parts mobility and IoT technologies. He has been with MobileIron for 5 years. Previously, he worked at Cisco Systems for 19 years where he started out as a Technical Assistance Center (TAC) engineer, then a software engineer, and as a Technical Leader in the Security Technology and Internet of Things (IoT) business units. He was the main architect for the IoT security framework that is still being used today by Cisco’s IoT customers.

Similar Blogs