Here’s what we know about checkm8 aka “forever-day” exploit!
On Sept 27, 2019, a security researcher who goes by the handle Axi0mX published an exploit, called checkm8, that he claims uses flaws in Apple’s Boot ROM software to bypass boot security.
This exploit does not affect or impair MobileIron's products.
The researcher claims that checkm8 exploits a race condition to defeat the Secure Boot chain, and that it is not entirely reliable. In its current development, it is not a remote exploit, as it can only be executed by connecting the iOS device to a computer over USB.
The researcher has published code meant for researchers and developers who can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.
To reiterate, this is not a Jailbreak. As the Boot ROM can’t be updated after the device is manufactured, the author calls checkm8 a “permanent unpatchable Boot ROM” exploit or “forever-day” exploit.
The researcher claims in his announcement on Twitter that the system-on-a-chip (SoC) in iPhones from 4S (A5 chip) to iPhone X (A11 chip), released between 2011 and 2017 are vulnerable. He also writes that Apple devices with these chips like the iPad and iPod Touch are also affected.
With all the caveats that exist with the checkm8 exploit, having a unified endpoint management (UEM) solution with mobile threat defense (MTD) installed on an iDevice is critical for a few reasons. First, UEM can enforce a complex alphanumeric passcode to access the device. Second, the iOS restriction to allow USB restricted mode prevents USB accessories that plug into the Lightning port from making data connections with an iDevice (iPhone, iPad, or iPod) if your iOS device has been locked for over an hour. This blocks tools used by hackers and law enforcement to crack passcodes and circumvent Apple’s encryption and built-in measures designed to protect the user’s private data. This can be applied to Supervised devices.
When a full jailbreak is created, MobileIron UEM will be able to detect the device health is out of compliance and halt the enrollment process preventing the provisioning of VPN, WiFi, email, identity certificates, managed apps, and content onto the device. MobileIron Threat Defense (MTD) will also be able to detect the Jailbreak state and quickly remediate any UEM-provisioned settings on the device via quarantine or selective wipe compliance actions after the device has enrolled to UEM. Access to enterprise and cloud resources will also be blocked.
If the Cydia or Sileo apps are installed on the device as a third-party app store for rooted apps, the UEM admin can disallow them and prevent them from running on the device. MTD will flag these apps as a sideloaded app threat (not downloaded from the iOS App Store) and classify them as a Suspicious iOS app threat. If Cydia or Silio installs a configuration profile, MTD will detect that a suspicious profile was installed on the device. All these threats can trigger a quarantine or selective wipe compliance action.
We’ll continue to monitor new developments in the checkm8 exploit. If you’d like to learn more about MobileIron UEM, please visit here.