Axi0mX Teases iPhone X Running iOS 13.1.1 Jailbroken With Checkm8 Exploit
Over the weekend, news spread of an unpatchable "checkm8" exploit
that could allow millions of iPhone users to quickly and easily jailbreak their handsets. Lest there was any doubt it works, the hacker who developed the exploit posted a video on Twitter showing checkm8 in action on an iPhone X
running iOS 13.1.1.
The bad news for Apple
is the nature of this exploit makes patching it away impossible. That's because checkm8 works its magic in the iOS bootrom, which itself resides in read-only memory inside a chip in affected iPhone models. Any jailbreaks that leverage the iOS bootrom can't be mitigated with a software patch.
HACKED! Verbose booting iPhone X looks pretty cool. Starting in DFU Mode, it took 2 seconds to jailbreak it with checkm8, and then I made it automatically boot from NAND with patches for verbose boot. Latest iOS 13.1.1, and no need to upload any images. Thanks @qwertyoruiopz pic.twitter.com/4fyOx3G7E0
— axi0mX (@axi0mX) September 29, 2019
"HACKED! Verbose booting iPhone X looks pretty cool. Starting in DFU Mode, it took 2 seconds to jailbreak it with checkm8, and then I made it automatically boot from NAND with patches for verbose boot. Latest iOS 13.1.1, and no need to upload any images," axi0mX stated in a Twitter post.
Checkm8 works on every iPhone model from the iPhone X down to the iPhone 4S, though not the newer iPhone 11
series. There are hundreds of millions of affected devices still in use, and iOS updates can't stop checkm8 from working.
That said, this is technically not a full jailbreak, but an exploit. It requires being tethered to a Mac. Axi0mX notes in a follow-up tweet that "when it is not plugged in or in DFU it will boot to stock iOS 13.1.1." That is an inconvenience, though it also makes the prospect of a remote hack "impossible."
As further explained in an interesting interview with ArsTechnica
, checkm8 only works in memory, so there is nothing that persists after rebooting an affecting iPhone model.
"Once you reboot the phone... then your phone is back to an unexploited state. That doesn't mean that you can't do other things because you have full control of the device that would modify things. But the exploit itself does not actually perform any changes. It's all until you reboot the device," axi0mX explains.
In short, this is a pretty big deal considering the number of devices affected and Apple's inability to block it. At the same time, there are some restrictions that limit its usefulness for the casual iPhone owner.