checkm8, being a BootROM exploit, gives hackers access to areas that were previously unreachable, which makes it one of the most dangerous and powerful exploits to be ever released publicly in the history of iOS jailbreaking.
No matter what device you own, precaution is always better than cure. Here are three mitigation activities to keep in mind.
Table of Contents
What can an attacker do with checkm8 BootROM exploit?
Devices such as iPhones 4S, 5, 5c and older iPads are highly vulnerable in that an attacker might gain access to your data regardless of how strong your password is.
- If your password is weak (4 to 8 digit), anyone with physical access can easily access its contents.
- If, however, you have a strong password (4 to 8 digit alphanumeric code), the attacker will have to spend months or even years to spend.
It’s not yet known if this exploit could brute-force passcodes on these devices without spending months or years.
On the other hand, iPhone 5S and later models are secure as long as you have a strong password. These devices come with SEP (Secure Enclave Processor) – a chip that stores sensitive personal information on-device in an encrypted format.
As the SEP isn’t vulnerable to checkm8, an attacker can only gain access to your device if and only if he/she knows or guesses your passcode correctly.
Steal sensitive personal information
An attacker can replace utilize checkm8-based malware to install a patched copy of the iOS operating system that is indistinguishable for the original one.
The malicious firmware could then be used to replace your login screen, log your keystrokes and send them remotely to the attacker’s server.
Such attacks are difficult to detect and can even pass automated checks. Thanks to the very nature of the exploit, the affected device will revert to the stock operating system upon a reboot.
Bypass iCloud Lock
iCloud Lock (Activation Lock) protects your device against unauthorized activity and ensures only the owner can gain access to its various features.
Thanks to this security measure, an iCloud-locked device is nothing but an expensive paperweight. However, the recent release of checkm8 changes this.
According to security researcher GeoSn0w, the checkm8 exploit might lead to an iCloud bypass in the future.
Since we can patch iBEC/iBSS bootloaders and remove Setup.app, creating a CFW (Custom Firmware) – a patched version of iOS – is now possible.
We will cover checkm8-based iCloud bypass techniques in future articles.
Protection and Mitigation Techniques
Beware of rogue charging stations
checkm8 requires the attacker to connect your iPhone or iPad to a computer with a lightning cable.
This means anyone with a malicious cable could inject malware into your device or put it in pwned DFU mode without your knowledge.
So, make sure you use authentic accessories before you charge or connect your device.
In layman’s terms, your Apple device should remain safe so long as you don’t plug it in random charging spots.
Check your lightning port
Although checkm8 requires a computer to boot, a sophisticated device like a Lightning-USB key, which loads the exploit on every boot can effectively untether it.
Alternatively, the attacker could also put on a new malicious battery case (such as the one given below) to trigger the exploit without a computer.
However, if you are a jailbreaker, installing these devices will ensure your device stays in the jailbroken state for longer periods of time.
Noticing these malicious devices is rather easy and simply disconnecting them from your device shall get the job done in this instance.
Reboot your device
Since checkm8 is a tethered exploit, rebooting just once will render the malware useless.
Apple’s security measures will kick in and neuter any attack vector based on this SecureROM exploit.
Therefore, you must restart your device if you notice any malicious activity on a vulnerable device.
- Ensure your iPhone or iPad stays on your person at all times.
- Stick to trusted devices and accessories if you own a vulnerable iPhone, iPad, iPod Touch or Apple TV.
- If you own an iPhone 4s/5/5c, an attacker with physical access to your device can access your data.
- If you have an iPhone 5 or a later model, the attacker can still inject malware into your device without possessing your passcode. However, restarting your device once will make it return to the stock state.