Original title: Apple's epic hardware vulnerability: your iPhone can escape forever and cannot be repaired
Prison break, the word is very strange to current iPhone users, because the security of IOS has become higher and higher in recent years, and prison break has become more and more difficult. Even if there are loopholes, they will soon be fixed by apple. But today, the silence of IOS prison break was suddenly broken.
A security researcher said on twitter that a newly released IOS vulnerability may cause hundreds of millions of IOS devices to suffer a permanent and unstoppable prison break. All iPhones from iPhone 4S to iPhone 8 and iPhone x, as well as other IOS devices such as iPad and iPod touch using the same A-Series processor, and the vulnerability lies in the hardware, Cannot be repaired by software.
This vulnerability is called 'checkm8', which is read as checkmate, which is' dying 'in chess terminology.
Axi0mx said that this is a bootrom vulnerability that allows hackers to deeply access IOS devices, and Apple cannot prevent or fix this vulnerability through future software updates. This will be one of the biggest developments in iPhone hacking in recent years.
Epic Prison Break: the first bootrom vulnerability in 10 years, affecting hundreds of millions of devices
Axi0mx directly uses epic jailbreak (EPIC jailbreak) to describe this vulnerability. Why? Because the bootrom vulnerability exists in the hardware, it cannot be repaired by software.
The bootrom vulnerability exploits a security vulnerability in the initial code loaded by the IOS device at startup. Since it is ROM (read only memory), Apple cannot overwrite or patch it through software updates, so the vulnerability will always exist. This is the first bootrom level vulnerability for IOS devices since the release of iPhone 4 10 years ago.
In a subsequent tweet, axi0mx explained that they released this vulnerability to the public because 'using the bootrom vulnerability for old devices can make IOS better, for everyone. Jailbreakers and developers will be able to escape on the latest version of IOS without staying on the old IOS version and waiting to escape. They will be safer. "
This will affect millions of iPhone devices: from iPhone 4S (A5 chip) to iPhone 8 and iPhone x (a11 chip) are vulnerable, although Apple seems to have patched the vulnerability in last year's A12 processor. IPhone XS / XR and 11 / 11 Pro devices will not be affected.
Apple did not respond to a request for comment.
Someone may ask, what can you do with bootrom vulnerability? I don't want to escape. The author of expreview said, "in fact, prison break is only one aspect. After you have the bootrom vulnerability, you can upgrade and upgrade the system version of your device at will. There is no obstacle from apple. You can brush in your own customized IOS system and even hope to brush on Android."
According to the content already disclosed on GitHub, the functions allowed by this vulnerability include:
Jailbreak and downgrade iPhone 3GS using bootrom vulnerability
DFU mode with steakhouseuse exploit for s5l8720 devices.
DFU mode with limera1n exploit for s5l8920 / s5l8922 devices.
DFU mode with shatter exploit function for s5l8930 device.
Dump securerom on s5l8920 / s5l8922 / s5l8930 devices.
Dump nor on s5l8920 device.
Flash nor on s5l8920 device.
Encrypt or decrypt hexadecimal data on connected devices using PID mode gid or uid keys.
Axi0mx points out that this attack cannot be performed remotely, but must be carried out through USB. In addition, it must be enabled through the computer every time, which limits the practicability of prison break.
At present, there is no actual prison break using the checkm8 vulnerability, nor can we simply download a tool to crack devices, download applications and modify IOS.
Axi0mx said: 'what I released today is just a vulnerability, not a complete prison break to support Cydia. This is a permanent and irreparable bootrom vulnerability for hundreds of millions of IOS devices. Researchers and developers can use it to dump the securerom, decrypt the key package using the AES engine, and demote the device to enable JTAG. But you still need other hardware and software to use JTAG. "
There are also security concerns. Criminals can use this vulnerability to bypass Apple's icloud account lock, invalidate the account lock of stolen or lost IOS devices, or install a version of IOS with a virus to steal user information. Although apple can patch the bootrom for new devices, hundreds of millions of old iPhones cannot be repaired without replacing the hardware.
Although the era of prison break is over, prison break is not dead!
After the iPhone came out, the accompanying crack appeared. Because it coincides with the popularity of the American drama prison break, cracking the iPhone is called prison break.
The early iPhone jailbreak was really a foot high, and the devil was a foot high. The official was at a loss.
Due to Apple's early technical ability, it gave a 'broad world' to escape from prison, and a large number of third-party application markets emerged, of which Cydia is the most popular. With prison break, Apple users have lived a life of choosing the market and getting plenty of food and clothing by themselves. Not only are they more comfortable than their compatriots who don't escape from prison, but they also don't lose to Android users in the same period.
The so-called prison break is equivalent to Linux getting root permission, which can change the system files that ordinary users can't modify, so as to realize the purposes of personalized customization, removing useless system functions, adding missing system functions and so on, so that 'your iPhone' can really become your iPhone.
But everything has two sides. Prison break brings the pleasure of breaking the rules, enjoying full control of the device, and making the mobile phone more powerful and more friendly. At the same time, it also brings potential risks: at least the mobile phone is hot, the app flashes back, the system is stuck, and at the same time, it can directly turn bricks, mistakenly drop malware, mobile phone poisoning, privacy information theft, etc.
As apple continues to strengthen the iPhone protection system, prison break lovers find that the prison break time of the new iPhone is getting longer and longer, the means are becoming more and more complex, and the success rate is getting lower and lower. Moreover, many functions that can only be experienced before prison break are slowly bleached by the official and added to the IOS native system, and the necessity of prison break becomes smaller and smaller.
At the same time, the value of IOS vulnerabilities has also increased significantly. Apple's Bug bounty program pays for vulnerabilities and can get a reward of up to $1 million for discovering a vulnerability. Therefore, for developers who find jailbreak vulnerabilities, there is less incentive to publish them.
It's not polite to say that those imaginative developers in the prison break era nurtured the iPhone and made it grow and grow.
At the same time, because the third-party application store is mainly maintained by a few technical gods, there are inevitable loopholes due to limited energy, coupled with the lack of marketing and its gray identity, it has been unable to make ends meet. Finally, at the end of last year, saurik, Cydia's creator, had no choice but to announce that due to the lack of food and the fact that the loopholes previously exposed had not been repaired, he reluctantly closed the Cydia store.
The closure of Cydia, everyone thought, marked the end of the era of prison break, which was full of myths of overnight wealth, heroes competing for deer, heroes coming out in large numbers and wonderful!
Nowadays, many young readers may not even have heard of prison break and don't know what prison break is. Cydia is closed, but prison break will not end here. The latest loophole in IOS has once again pushed the word prison break to the public's vision, and even allowed IOS devices to escape forever!
It's too early to say whether checkm8 will bring a new golden age for cracking the iPhone, but many members of the prison break section on reddit are very optimistic. A user claimed that due to the large scope of the vulnerability, this is' the biggest event in prison break circle in history '. In any case, considering the nature of this attack and its impact on the equipment, it needs to be monitored in the future.
Although the arrival of the final prison break will take some time, there is no doubt that this is the most influential vulnerability in the history of IOS devices. As the developers said, this is an 'epic prison break'.
Reference source: theverge