Unfixable iOS Vulnerability Affects 7 Generations of Devices

Andrew (he/him) - Sep 27 '19 - - Dev Community

Photo by Maria Teneva on Unsplash


Security researcher axi0mX recently discovered a vulnerability (which they've called "checkm8") in the A5 through A11 chipsets, used by nearly every iOS device released between 2011 and 2017.

"The jailbreak hinges on flaws in Apple's 'bootrom,' memory in the processor that contains the fundamental code that runs first when a device powers on. Axi0mX found the bootrom vulnerability by reverse-engineering and examining a patch Apple released in summer 2018 for the iOS 12 beta."

This is Read-Only Memory (ROM) that's written when the processor is manufactured. It cannot be edited by any software. This means that this vulnerability is permanently unfixable for hundreds of millions of Apple devices. Although there isn't yet a jailbreak (or any malware) that uses this vulnerability, these things are surely in the works.

"This is probably the biggest thing to cross most iOS security researchers’ desks in their entire careers to date."
-- Thomas Reed, Malwarebytes

This is breaking news (committed to GitHub around 10:30am London time, 27 Sep) so the documentation is still being updated from Axi0mX's previous exploit of the 3GS chipset. But that exploit uses an error in the way the heap is implemented (the C function malloc):

"In C programming language, function malloc should return NULL if it is unable to allocate memory of the requested size. Caller should check if returned pointer is NULL and handle the error... In S5L8920 bootrom (and some very old versions of iBoot) function malloc is not implemented correctly. When it is unable to allocate memory, instead of NULL it returns a pointer to memory address 0x8. Callers check if returned pointer is NULL and then treat that pointer as valid."
-- axi0mX

Read the full story here

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .