SecureMac, Inc.

Checkm8: The unpatchable iOS jailbreak

October 10, 2019

We’ve talked quite a bit about jailbreaks in the past couple of months, from Apple’s accidental reintroduction of an old iOS jailbreak to one developer’s attempt to create an app marketplace for unapproved iOS software.

But recently, news has surfaced of a new jailbreak for iOS devices that could be bigger than all of these: checkm8. 

Discovered by a security researcher who goes by the handle axi0mX, checkm8 (which is pronounced “checkmate”) is an unpatchable exploit for millions of devices running on iOS, including most iPhones and iPads.

In this article, we’ll tell …

Checkm8: The unpatchable iOS jailbreak

We’ve talked quite a bit about jailbreaks in the past couple of months, from Apple’s accidental reintroduction of an old iOS jailbreak to one developer’s attempt to create an app marketplace for unapproved iOS software.

But recently, news has surfaced of a new jailbreak for iOS devices that could be bigger than all of these: checkm8. 

Discovered by a security researcher who goes by the handle axi0mX, checkm8 (which is pronounced “checkmate”) is an unpatchable exploit for millions of devices running on iOS, including most iPhones and iPads.

In this article, we’ll tell you everything you need to know about checkm8, give you a bit more insight into how your iPhone works, and talk about what this development means for iOS security.

Should I worry?

The short answer? No. Because of the way checkm8 works, it’s extremely unlikely that anyone would be able to use it to cause you harm, outside of certain very specific scenarios.

But to understand why, you need to know a bit more about the jailbreak.

What is checkm8?

Checkm8 is a jailbreak exploit for iOS devices. This means it takes advantage of a vulnerability in iOS devices to give the user “root” or administrative access to their iPhone or iPad. For various reasons (security among them), Apple does not want ordinary users to have this kind of access. This is why jailbreaks are generally a big deal—and why Apple always rushes to put out a patch to fix the vulnerability that made the jailbreak possible.

How is checkm8 different?

Most jailbreaks exploit vulnerabilities in an iThing’s operating system: iOS.

Checkm8 is different, because it is classed as a Boot ROM exploit. To understand what that means, you have to know a little bit about what happens when you boot up your device—or any computer, really.

All computers have a permanent, “read only memory” (ROM) which can’t be changed or overwritten. When you boot up a computer, the operating system does not just load immediately. Before that can happen, a storage chip with ROM that contains simple instructions for loading the actual operating system must first execute its code. This is called the Boot ROM. 

In fact, this is a bit of an oversimplification, since the Boot ROM typically loads other low-level programs called bootloaders, which in turn find and load the operating system. But for our purposes, it’s enough to know that when you power on an iPhone, the Boot ROM is the very first thing that does, well, anything. 

The important thing to realize is that this Boot ROM code is built into the very processors that are used to start up the device (again, before the operating system even loads). When Apple releases a software patch for a typical jailbreak, the patch fixes something in the operating system’s code. But because checkm8 exploits a vulnerability in the Boot ROM—which isn’t a part of the operating system—Apple literally can’t patch it. Their only option would be to do a massive recall of affected devices and physically replace the vulnerable chips (read: not going to happen).  

Who is affected? And how?

Checkm8 affects any device running on A5 to A11 chips—which means pretty much all iPhones up to iPhone X, Apple Watches up to the Series 3, as well as various iPads. 

However, before you rush out to buy an iPhone 11, there are a couple of things to bear in mind.

First of all, this jailbreak does not allow for remote code execution. Meaning that for a threat actor to jailbreak your iPhone with checkm8, he or she would literally have to be in physical possession of the device.

Secondly, checkm8 is what’s known as a “tethered jailbreak”, meaning that it does not persist after a device is powered off. If a device had been jailbroken with checkm8, simply turning it off and then on again would be enough to restore said device to its original state. 

So if you’re at all worried about this, the only thing you should do is power your device off, turn it back on, and remember your best practices for physical device security in the future.

Does it matter?

Checkm8 probably doesn’t mean much to the average iOS user in terms of security. But to folks in the jailbreak or security research community, it is indeed a significant discovery. 

For one thing, it will give far larger numbers of security researchers the ability to see what’s going on behind the scenes of iOS. 

In addition to this, you may recall that Apple had recently decided to release iOS developer devices to a limited number of researchers. But as some observers have noted, checkm8 makes this program seem a bit superfluous, as now anyone can make their own dev device at home.

In the end, checkm8 doesn’t pose much of a threat to iPhone users. But it does afford us an opportunity to learn a bit more about how our devices actually work. And beyond that, it continues the recent trend toward the democratization of security research (albeit a little faster than Apple had planned). 

Get the latest security news and deals