IOS killer: jailbreak using checkra1n in questions and answers
Italian explorer Luca Todesco, known for looking for vulnerabilities in iOS over the past few years, released checkra1n, a new exploit-based jailbreak utility that exploits vulnerabilities in the bootloader of devices on A5-A11 processors. The danger is that he is using a “security hole” that Apple cannot fix with a software update.
Read more about the danger of checkra1n and how attackers can use it, said Sergey Nikitin, Deputy Head of the Laboratory of Computer Forensics Group-IB. Bonus – iPhone 7 jailbreak video.
Jailbreak checkra1n came out, what does it mean?
This means that users of all iOS devices with older processors can now feel significantly less secure. In concrete terms, all Apple mobile devices below the iPhone 10 inclusive are vulnerable.
Which version of iOS is vulnerable?
The fact is that the vulnerability found is hardware and does not depend on the version of iOS. Vulnerable code is located in that part of the hardware of the device, which is recorded once during production. Therefore, to close this vulnerability is programmatically impossible.
What is the danger?
Knowing the password code and having physical access to the device, you can completely extract data from it by copying the entire file system. Usually, without jailbreak, it is possible to copy only a small part of the data using iTunes Backup.
Something else?
Yes, since it is now possible to trust downloading arbitrary code, you can load the device into a “special” infected version of iOS, and before rebooting the user will use such a compromised version of iOS that can do anything with the user’s data.
It turns out jailbreak only works until reboot?
True, since the vulnerability in the bootloader is used, after rebooting, execution of untrusted code is no longer possible. You must repeat the hacking procedure at each boot.
What does this give the average user?
You can install an unofficial application store, change the operating system, install pirated applications, and so on. Of course, the main iOS security feature is lost – the system disables all its security features and untrusted code, including malware, can be executed there.
What does this give the security researcher?
This is a unique opportunity to explore any version of iOS, find vulnerabilities and report them through bug hunting programs. Previously, researchers were limited only to certain versions of iOS, for which they had already found some vulnerabilities and there was the opportunity to gain full access. But now, since this is a hardware vulnerability, you can install any version of iOS and study it, including the most current 13.2.2. Previously, this was possible only on special “prototypes” that a normal security researcher could not get.
How can scammers take advantage of this?
A wonderful anti-theft system was built into iOS. Even if you reset the device to its original state, it could not be activated without knowing the Apple ID and password. Thus, the stolen device could go to spare parts (and even not all of its elements). Now you can programmatically “bypass” this activation, and try to sell such a device. Unfortunately, with such a detour, it will not be possible to bind your Apple ID and use Apple services and mobile communications. Thus, the iPhone turns into a kind of iPod. However, this means that a huge number of scammers will soon appear on message boards who will try to sell such “pseudo-activated” phones. Be carefull!
What to do?
Unfortunately, since the vulnerability is hardware, the only option is to change the device to a fresh one. Devices of 2018 and newer are not affected. Such as iPhone XR, XS, etc.
What to expect?
Most likely it will be possible to crack code passwords by brute force for iPhone 4S and 5. And the limited ability to search code passwords for iPhone 5S has come out (a limited number of attempts). Therefore, for all vulnerable devices, we recommend setting the alphanumeric password to 8 characters.
