A security researcher has released today a new jailbreak that impacts all iOS devices running on A5 to A11 chipsets -- chips included in all Apple products released between 2011 and 2017, spanning eight generations of devices, from iPhone 4S to iPhone 8 and X.

The jailbreak uses a new exploit named Checkm8 that exploits vulnerabilities in Apple's Bootrom (secure boot ROM) to grant phone owners full control over their device.

Axi0mX, the security researcher who published Checkm8 today, told ZDNet he'd worked on the jailbreak all year.

On Twitter, he described Checkm8 as "a permanent unpatchable bootrom exploit," making the Checkm8 jailbreak one of the most extensive and efficient rooting tools of its kind.

EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.



Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG — axi0mX (@axi0mX) September 27, 2019

The researcher's jailbreak sits in a class of its own. Most jailbreaks use vulnerabilities in the iOS operating system and its components to give users control over their devices.

Bootrom jailbreaks are very rare. They are the most highly sought after jailbreaks because they are permanent and can't be patched. Fixing any Bootrom vulnerability requires a silicon revision, meaning physical modifications to device chipsets, something that no company can fix without callbacks or mass replacements. In effect, this is a permanent jailbreak that will work in perpetuity.

The last iOS Bootrom-based jailbreak was released way back in 2009, more than ten years ago, making the Checkm8 exploit even a more remarkable achievement since many thought the hardware avenue for rooting devices had long been closed. Ever since then, all iOS jailbreaks were software-based only, exploiting flaws in the operating system or its various components. Apple usually patched iOS within a few weeks, limiting the impact of all jailbreaks only to a short list of iOS versions, making rooting devices an ever more complicated task.

Code available on GitHub



Axi0mX's jailbreak is available on GitHub. The code is marked as a "beta" release. Most jailbreaking exploits are usually packaged in easy to use tools. For the moment, Checkm8 is in a very raw form and it isn't recommended for users without proper technical skills as it could easily result in bricked devices.

The jailbreak does not work on Apple's latest two A12 and A13 chipsets, and as Axi0mX told ZDNet, there are also kinks to be ironed out on older devices.

"I don't have it working on some older devices yet, like iPhone 4S, but I believe it is possible with a bit more effort," Axi0mX told ZDNet earlier today.

There are also downsides to Checkm8's publication. Besides allowing users to jailbreak devices, the exploit can also be used by threat actors to root devices. The good news is that the jailbreak needs physical access to the device, so, at least, it can't be used remotely. The jailbreak is also not permanent, meaning it will work until the next reboot. Nevertheless, since it's an unpatchable issue, it's a security risk that iOS users should be aware, and an incentive to upgrade to newer handsets with unaffected chips.