back to article Got a pre-A12 iPhone? Love jailbreaks? Happy Friday! 'Unpatchable tethered Boot ROM exploit' released

A programmer claims to have found a way to execute arbitrary code on recent-ish iPhones and iPads, paving the way for full-blown tethered jailbreaks. And, we're told, it is impossible for Apple to block these shenanigans as it involves a vulnerability baked into the devices' immutable Boot ROM. Specifically, the coder, who …

  1. Anonymous Coward
    Anonymous Coward

    Why should a company be allowed to disallow a customer access to his or her own device?

    Further more, why do people tollerate it?

    1. Anonymous Coward
      Anonymous Coward

      Some people actually see that as a feature and not a bug.

      1. Anonymous Coward
        Anonymous Coward

        I'm not talking about viruses or malware, I'm talking about the *owner* of a device being intentionally denied from accessing his or her own device as they see fit.

        If someone doesn't want their root/system/admin access, then good for them, but if they do, they shouldn't be stopped. It's their bloody device.

        1. DougS Silver badge

          How do you guarantee the legitimate owner full access to replace the OS etc. without also opening the door for bad guys who have physical access to it (i.e. at the border, when you are arrested, etc.) doing the same? Its not really a solvable problem, unless when the device is new out of the box it gives whoever first sets it up a choice of whether to make it 'open' or 'closed', and blows a fuse on the SoC to permanently lock in that choice.

          If you want a phone you have that degree of control over, buy an Android with an unlocked bootloader. Or buy an A11 or older iPhone.

          1. Anonymous Coward
            Anonymous Coward

            You're assuming the bad guys don't have the means already, either by their own skunk works or by twisting Apple's arm (give us what we want or no sales for you here, eh?--remember Blackberry?).

            1. doublelayer Silver badge

              Yes, to some extent we are assuming that. For the record, I usually want full access to things and I wouldn't have suggested Apple lock things down the way they have. But this degree of lockdown could really be considered a feature as a security measure to some buyers.

              Your excuse is logical, but limited. It's possible that various evil people have found their own vulnerabilities in every phone and are perfectly able to do anything they'd like. It's also possible that no evil people have yet found a way in. What's most likely, however, is that some evil people have found a way in and a larger set of other evil people would like one, but don't have one yet. Not perfect by any means, but perfection in security is unobtainable. And protection against many might be considered a better feature to those for whom security is a primary concern than openness of software choice.

          2. Any other name

            How do you guarantee the legitimate owner full access to replace the OS etc. without also opening the door for bad guys who have physical access to it (i.e. at the border, when you are arrested, etc.) doing the same? Its not really a solvable problem ...

            The problem is trivially solvable, and is in principle solved in every single UEFI BIOS implementation on every PC made within the last 10 years. The reason Apple can update the OS and you can't is simple: the boot sequence is designed to check a cryptographic signature of the boot image it loads, and Apple keeps the signing keys to itself. Technically, there is no reason why the initial boot can't also check for multiple, user-configurable signature keys. The access to these boot keys can be protected by a password or preferably by a user-generated public key. All necessary keys can be held in a secure storage - which is already present in most smartphones. Now the user (or the user's technical support) can have the unfettered acess to their property - while those who don't have keys still can't. If the user wants to surender the control permanently, setting the control publickey to a random value would do it - while the backed-in Apple key would still allow its updates to flow.

            Technically, there is nothing stopping Apple from implementing this approach on their devices.

            1. Anonymous Coward
              Anonymous Coward

              "The access to these boot keys can be protected by a password or preferably by a user-generated public key."

              What's to stop Mallory pretending to be Alice and using the same mechanism to inject a malware boot into the system and then locking the firmware behind them?

            2. DougS Silver badge

              What you suggest

              Is only good for installing a completely different OS on the phone. The universe of people who want to install Linux/Android on an iPhone can probably be counted on your fingers and toes. I doubt it is even possible since Apple is not going to release drivers for their proprietary hardware like Face ID or their own GPU design.

              That's not what jailbreaking is about. Jailbreaking is about letting you install apps from a third party app store. If you leave a 'public' key on the phone to allow that, then border control/cops/corporate black bagmen from installing a rogue app on your phone, or more likely replacing your existing app like Whatsapp or Signal or whatever with a bugged version.

    2. DerekCurrie
      Happy

      Answer: Security

      Android devices: Vastly less secure. Why?

      1) Devices are rarely capable of installing Android OS updates. Google's Project Treble is supposed to solve that and... Where is it?

      2) Massive malware is constantly being discovered in the Google Play Store, despite Google's claims to be vetting all apps. Millions of infected devices are reported typically on a weekly basis.

      3) Anyone can jailbreak any Android device. So long US constitutional rights to privacy and freedom from self-incrimination.

      Thus the blessed, but never perfect, Apple iOS Walled Garden. I'll keep mine, for my purposes. You keep your public weed plot for your's.

      And: Knowing rodents are capable of getting loose in Apple's walled-garden does not please me in the least. Thankfully, I've been using massive, ungainly, random passwords for years. IOW: There are still no rats in my garden. *grin*

      1. Anonymous Coward
        Anonymous Coward

        Re: Answer: Security

        Yeah, keep telling yourself that. Strong passwords are not a 100% cast-iron guarantee of security, and some people say you're never more than twelve feet away from a rat.

        1. Tessier-Ashpool

          Re: Answer: Security

          You *can* have a walled garden *and* a strong password.

          I’d rather the rat was behind a stone wall than a picket fence, thanks very much. “Walled Garden” gets a bad press amongst geeks but for the overwhelming majority of users it’s an important way of playing safe in a hostile connected world. A ‘Register’ audience is not a typical audience.

          In my opinion, blocking unauthorised OS updates is a good thing. Let’s just say, theoretically, that you managed to find a way to hijack the phone’s cellular firmware so that you could block nearby users from making calls. Should that be allowed, just because you have a desire to mess about with the OS? Should you be able to tamper with incoming messages and get someone in trouble with the law? Should you be able to remove copy protection and duplicate any old movie that you like? Would you be happy with bad guys walking through your picket fence and installing malware? Should you be allowed to waste Apple’s time by walking into an Apple Store with a fucked up device? The list goes on and on and on.

          Sure, there are annoying limitations. I’d like to take screenshots of movies on my iPad. But I can’t because Apple block that from happening. I take the rough with the smooth.

          If you want to do geeky stuff get some geeky hardware. There’s plenty of it around.

          1. Scroticus Canis
            Happy

            Re: ...like to take screenshots of movies

            You can on macOS if your watching in a browser (cmd+shift+4 - the standard way).

            Noticed that there was engraving on the muzzle of Dead Pool's gun in the opening sequence (second film) but too small and fast to read. Screen-shot and got "SMILE" at the top of the muzzle and "WAIT FOR THE FLASH" on the bottom. Thought the humour was great even if it was mainly for the crew who did it

      2. Ian Joyner Bronze badge

        Walled Garden

        People keep throwing in this now pejorative phrase 'walled garden'. This is nonsense.

        The basis of security is to set boundaries and respect boundaries.

        Actually, it is more than respecting boundaries it is enforcing boundaries. A platform and OS must enforce boundaries.

        Some spread this myth that such controls are against freedom. For some this is childish, others naive, some dishonest – at the very least it is a complete misunderstanding of security.

        (Now, I must go, I have to lecture on the topic of security for 8 hours today.)

        1. Anonymous Coward
          Anonymous Coward

          Re: Walled Garden

          A platform and OS has no right to force its boundaries against the *owner* of a device against their will.

          "Security" is not a valid reason.

          1. Ian Joyner Bronze badge

            Re: Walled Garden

            "A platform and OS has no right to force its boundaries against the *owner* of a device against their will."

            I don't know where to start on your lack of understanding. Computers are about whatever a person can do, the computer can do. So if an end user can install something from anywhere (at great risk) someone else can as well – that is how viruses and worms spread.

            Hackers have no right to your device and it is the OS's duty to protect the device and its owner. That is about enforcing boundaries.

            You really don't understand what security is about.

            Strange how you are protecting yourself by using the 'walled garden' of 'anonymous coward'.

            1. Anonymous Coward
              Anonymous Coward

              Re: Walled Garden

              No, you have no clue.

              Your total misrepresentation of my ability is due to your total miscomprehension of my post.

              If someone explicitly wants access to a device they own, they should not be denied "because..eeer.. hackers"

              What if the glove compartment to your car was welded shut to protect against thieves?

              As someone who has actually been professionally employed in security for over 25 years, if I buy a device, it's damn well up to me what I do with it, and the OS manufacturer has no right trying to restrict my legitimate access.

              Your explaination on what someone can do to a computer is laughably quaint and simplistic, by the way. I don't know where to start on *your* lack of understanding, or maybe you were just trying to be patronising?

              Anon. for completely different reasons than you suggest. Still, your analogy would only hold true if I was forced to be aonymous, "for security", and had no personal choice in the matter.

              1. Anonymous Coward
                Anonymous Coward

                Re: Walled Garden

                "What if the glove compartment to your car was welded shut to protect against thieves?"

                How about this common label: "No User-Serviceable Parts"?

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Walled Garden

                  https://hackaday.com/2015/09/15/the-rise-of-the-fix-it-culture/

                  As for the original topic, see what google have done with chromebooks/chromeboxes. If you want "root" it's up to you. You lose software support, but a one-click brings it back to factory default and software support is back again.

                  Hardly rocket science, but perhaps you or Ian could explain to google why they don't understand security.

              2. Ian Joyner Bronze badge

                Re: Walled Garden

                "Your total misrepresentation of my ability is due to your total miscomprehension of my post."

                My comments on your ability are based on the explicit misunderstandings in your post. All you want to do is throw around lazy phrases like 'walled garden' as if they prove something. But these phrases come from lack of understanding of security.

      3. Anonymous Coward
        Anonymous Coward

        Re: Anyone can jailbreak any Android device

        you have no clue. Which is great to see on this fine Monday morning because I thought I have no clue, and now I found somebody who has less no clue than I do, yay!

    3. Dimmer
      Black Helicopters

      Who is really installing patches / updates

      After apple made a cup warmer (15 min battery life) out of my phone with an iOS update and then not allowing me to go back, I hesitate to install another update once it is out of warranty.

      What about bing? Seem every time windows does an update,bing comes back. And how about Micro$oft locking us into their App Store?

      I am all for updates to fix an issue, as long as it is not to fix their sales. I would like to see a poll of how many people are afraid of doing an update because it will break something as compared to it will be hacked.

      1. doublelayer Silver badge

        Re: Who is really installing patches / updates

        I'm sure you can find lots of people who don't install updates because it could cause problems. And they're not all wrong, as updates do frequently introduce bugs or mess something up. I think, however, that you'll find those people are also overrepresented in the lists of people who got successfully attacked by malware. For many users, malware is considered only in the abstract, as a bad thing they can't do anything about and not of major concern, and that's why many places have data breaches or go down because they've had a ransomware attack. Security patching is important.

    4. Ian Joyner Bronze badge

      It is not about blocking the customer – it is about blocking the malicious forces out there and protecting the customer. Protection is the most important part of OS security.

    5. Anonymous Coward
      Anonymous Coward

      Why should a company be allowed to disallow

      well, why would they be disallowed to disallow?

      I guess the primary reason for disallowing is to protect their bottom line (cost reduction), sold as "SECURITY!!!!". In short, if too many people play around with exploits, apple would actually need to deal with this (= cost). And please don't tell me they could make it clear in terms and conditions, people don't read anything, particularly T&T. Very likely, some idiot(s) try to install something "alternative" off the internets, that turns out to be malware, and then they sue apple for billions "because they did not provide basic security features".

      And certainly, secondary reason is that the walled garden / ecosystem adds that extra profit.

      p.s. while I hate apple as much as anybody, exactly the same goes in the android universe - and fewer and fewer phones are rootable these days.

    6. AdamWill

      why not?

      Well, aside from monopoly abuse...why *not*? Unless deception is involved, on what grounds is it reasonable to stop someone selling a limited device to a customer who knows that's what they're buying? It's a free choice.

      As for who would put up with it - well, me, for a start, and billions of others. Anyone who buys an iPhone or most android phones, and anyone who buys a mainstream games console. I've got a ps4 and a switch and a 3DS and I don't fiddle around trying to hack any of them, because I'm perfectly *happy* with what the locked device offers me. I didn't want a general purpose computer with a joypad, I wanted a games console, and that's what Sony and Nintendo offered me. I'm happy with the devices, they're happy with my money, everyone's happy besides you apparently..

      1. Charles 9 Silver badge

        Re: why not?

        So you're perfectly happy with taking your device when (not if) it breaks to an official retailer which may not be nearby, not open when you need it, and charge an arm and a leg just to look at it? What if this became true of your car, as is increasingly happening?

  2. ilovecookiez

    If this thing works as it claims we're gonna have a bunch of previously iCloud-blocked devices popping up on Facebook Marketplace.

  3. Anonymous Coward
    Anonymous Coward

    iPhones and Androids

    I have an old jailbroken iPhone that I installed SSH, Nmap and Metasploit on that is great fun at partys and coffee shops.

    (J/K, I use it for demonstrations only)

    I can see this exploit payload installed on a modified flash drive or even modified USB charging cable.

    At least iPhones get regular security updates unlike the majority of Android phones that are out there that have all kinds of cruft added by the manufacturer, data provider or anyone else in line before the victim purchases the device.

    On the other hand, I also have an older 2014 Motorola that has security patches from September 5th 2019 from Lineage OS.

    The battery in this liitle beauty lasts for over 4 days without a charge.

    (It's amazing how long a battery can last when the device isn't sending all your data out every 2 seconds)

    "using Apple's A12 system-on-chip" I think I see the problem here.

    Is this similar to Intel's Management Engine?

    1. Anonymous Coward
      Anonymous Coward

      Re: iPhones and Androids

      "using Apple's A12 system-on-chip" I think I see the problem here.

      Is this similar to Intel's Management Engine?

      Not at all.

      Apple manufactures their own ARM CPUs and name them A12, A13 or whatever. They're not that different from Qualcomm Snapdragon, Samsung Exynos or many other mobile CPUs.

      If you're referring to "system-on-a-chip" ('SoC'), it just means that the CPU has more stuff integrated than just the CPU logic, and all the other mobile ARM CPU's are SoC's as well.

      1. DenTheMan

        Re: iPhones and Androids

        They are closer to Intel designs, which make them fast but power sucking.

        Thus the strain on those, arguably purposely designed small batteries

  4. LDS Silver badge
    Joke

    Apple found another way to promote its latest mobes...

    Cook: "Out sales are too low!!!"

    Unknown Apple minion: "Let's disclose all models but the latest ones are not secure!!"

    1. Benson's Cycle

      Re: Apple found another way to promote its latest mobes...

      Unknown but soon to be promotion fast-tracked Apple minion: "Let's disclose all models but the latest ones are not secure!!"

      ftfy

      1. Anonymous Coward
        Anonymous Coward

        Re: Apple found another way to promote its latest mobes...

        .... meanwhile, customers who were advised that iPhones are a secure platform begin looking elsewhere since spending £1000 every 2 years for device security is not an affordable option.

  5. Anonymous Coward
    Anonymous Coward

    Honestly, life is too short.

    I could also take my my dishwasher apart, but I don't. If you want to fiddle, buy an android phone, otherwise go outside and get some fresh air... really, there's much more important things to worry about than demanding to be able to jailbreak a perfectly working phone.

    1. Anonymous Coward
      Anonymous Coward

      Re: Honestly, life is too short.

      Karen, you're on the wrong site. This is The Register, not Better Homes and Gardens.

  6. Andy The Hat Silver badge

    Interesting twist ...

    The entire article is based around the difficulty of physical intrusion using software which currently does very little. The main thrust is the excitement of the *potential* future ability of an individual to jailbreak their own iWhatsit by using additional hardware.

    Then we get the quote:

    "We strongly urge all journalists, activists, and politicians to upgrade to an iPhone that was released in the past two years with an A12 or higher CPU. All other devices, including models that are still sold — like the iPhone 8, are vulnerable to this exploit."

    which infers that there is a fully fledged exploit in the wild that is introducing a security risk into the earlier iDevices and can be taken advantage of in some way, the only way to avoid this terrible nasty being an upgrade to the latest iBucks phone ...

    Now someone is either massively under-estimating the security risk, over-reacting to the security risk or perhaps simply finding an excuse to spin the Apple marketing machine into top gear ... which is somewhat odd for an "info sec biz".

    1. doublelayer Silver badge

      Re: Interesting twist ...

      I'll grant you that the tone is a bit harsh. It's useful to know, however, that the devices can be exploited, and probably more easily than they can be jailbroken, to brute force a decryption. IOS devices have for several years had a reputation, deserved or undeserved, for being hard to break into, and some people may have purchased them specifically with that intent. This exploit makes it straightforward to create a brute force device decryptor. I fully expect some company with ties to law enforcement will have made one pretty soon. It only remains to be seen which law enforcement we're talking about and how much we trust them.

    2. Anonymous Coward
      Anonymous Coward

      Re: Interesting twist ...

      Maybe not that much of an over-reaction. Sure, it's a tethered rather than a remote hack. However, journalists, activists, and politicians are all classes of people who tend to be of interest to state security agencies. At least some of them would be interesting enough to justify making unauthorised amendments to their phone during a "routine, non-targeted" border check.

      If they'd tried to apply the same warning to everyone I'd be saying GTFO though.

      1. Mark 65

        Re: Interesting twist ...

        Any ideas as to whether such a modification would persist past a restore/OS reflash?

        I would have thought any such person likely to be targeted would take a reset device through customs, reflash at the destination, then login to download data and settings from the cloud if they value security.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019