Sunday, October 20, 2019

Checkm8 - Now Is A Good Time To Start Worrying

Have you heard about the new exploit of many iPhone models' boot ROM?

It works on iPhones from the 4S to the X.

There are articles here, here, and here.

Ars  Technica summarized it as:
  • Checkm8 requires physical access to the phone. It can't be remotely executed, even if combined with other exploits
  • The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.
  • Checkm8 doesn't bypass the protections offered by the Secure Enclave and Touch ID.
  • All of the above means people will be able to use Checkm8 to install malware only under very limited circumstances. The above also means that Checkm8 is unlikely to make it easier for people who find, steal or confiscate a vulnerable iPhone, but don't have the unlock PIN, to access the data stored on it.
  • Checkm8 is going to benefit researchers, hobbyists, and hackers by providing a way not seen in almost a decade to access the lowest levels of iDevices.
Physical access, only tethered jailbreaks, lacks persistence, doesn't bypass Secure Enclave and Touch ID, etc.

Doesn't seem to be a big deal to most people.

But the last bullet is the really important one. Even this minimizes the BIG point.
Checkm8 is going to benefit ... hackers by providing a way ... to access the lowest levels of iDevices.
What this means is that from now until the iPhone X is no longer supported by Apple, every security release of iOS will be immediately reverse engineered to discover what vulnerabilities have been fixed. Then malicious hackers will rapidly develop exploits that don't require physical access, tethered jailbreaks, are persistent, and bypass Secure Enclave and Touch ID, etc. Further the hackers will be able to examine Apple's security code for further vulnerabilities and then exploit them as zero days.

Steve Gibson explained this is depth on Security Now #736 (YouTubePDF):
That means that the instant an update is released, it can now be fully reverse engineered, analyzed, and compared against the previous version, which will allow both security researchers, but also bad guys, to figure out what Apple has changed, what it is exactly that Apple fixed. And if they're able to get an exploit out into the wild before a targeted device has been updated, they could take advantage of that. 
Apple can no longer lock down their platform. It is going to be open for anyone to reverse engineer any changes Apple makes to devices which are necessarily still being supported and are receiving updates.
Now is a good time to start worrying.

No comments: