checkm8 vulnerability Bitcoin wallets (iPhone) is now considered insecure

[hugeblack]

checkm8 is a bootrom vulnerability "The international code that IOS device executes as when they boot up (ROM.)" discovered by @axi0mX, which gives hackers access to iPhone devices in a way that Apple will not be able to block or release future updates (hardware vulnerability.)

EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).

For more details read ---> https://twitter.com/axi0mX/status/1177542201670168576


So far the hacker needs to physically access the device, but this is a warning that must be considered.

[1714690257]

1714690257

[1714690257]

1714690257

[1714690257]

1714690257

[DaveF]

Not to be the "Debbie Downer" of this. But:
There are too many words in your statement. It can be summed up into "Phone wallets are not that secure"
How many times do we see issues with them?

I'm not saying don't use them. I am just saying that when I hear about people loosing tons of money because they had 3BTC sitting on their phone, I just have a real hard time feeling sorry for them.

Between the mintdice campaign, some things I sold and some BTC that I bought when the price dropped I have close to .2BTC on my main wallet on my phone. Just as soon as the campaign pays off today it all goes into a 2 of 3 paper wallet. I have a 2nd mulitcoin wallet on my phone with the "fun money" if I loose it all it sucks, but in my true overall financial situation it's not a big deal. YMMV as to the amounts, but in the end if you are not using a GOOD hardware wallet and you are on this forum with all it's knowledge then sorry if you loose your BTC, but you were warned and warned and warned.

-Dave

[BitMaxz]

This checkm8 bootrom exploit is only used for jailbreaking once you use the checkm8 exploit to your iPhone it will be jailbreakable forever even there is a newly released firmware(.ipsw). It can be triggered only via USB as what axi0mX said.

I don't think if it can affect Bitcoin wallet it is just like the same exploit as P0sixspwn, Redsnow and Panju the only difference of this new exploit is the device will be jailbreakable forever.

It's just likely the same as a rooted Phone but never heard that someone hacked or stole BTC with jailbroken devices unlike Android rooted phones.

[HCP]

I disagree that iOS devices is insecure due to this vulnerability since the attacker still need to pass through iOS device and bitcoin wallet encryption.

IMO the real concern is attacker with physical access (such as worker who repair your phone) could jail break your iOS device or/and put malware which act as keylogger or could access bitcoin private key when user open his/her bitcoin wallet.

It's not really that big of a deal anyway... the jailbreak is "non-persistent" and is not an "untethered" jailbreak... so simply rebooting your device or switching it off and then on again removes the jailbreak and therefore any "non-signed" software (ie. malware) would cease to function... and it needs to be connected to another device to jailbreak it.

Arstechnica have an interview with the hacker that published the exploit here: https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/

DG: Somebody could use Checkm8 to install a keylogger on a fully up-to-date iOS device, but the second that they rebooted the phone, that keylogger would be gone, right?

A: Correct. Or it wouldn't work. They left the keylogger there, but iOS would just say: "This app is not authorized to run on this phone, so I'm not going to run it."

In addition, with the "newer" devices that are able to be exploited (I believe devices >= iPhone 6) that have the "Secure Enclave", you still need the device PIN etc to be able to access any private data:

DG: In a scenario where either police or a thief obtains a vulnerable phone but doesn't have an unlock PIN, are they going to be helped in any way by this exploit? Does this exploit allow them to access parts of this phone or do things with this phone that they couldn't otherwise do?

A: The answer is "It depends." Before Apple introduced the Secure Enclave and Touch ID in 2013, you didn't have advanced security protections. So, for example, the [San Bernardino gun man's] phone that was famously unlocked [by the FBI]—the iPhone 5c— that didn't have Secure Enclave. So in that case, this vulnerability would allow you to very quickly get the PIN and get access to all the data. But for pretty much all current phones, from iPhone 6 to iPhone 8, there is a Secure Enclave that protects your data if you don't have the PIN.

My exploit does not affect the Secure Enclave at all. It only allows you to get code execution on the device. It doesn't help you boot towards the PIN because that is protected by a separate system. But for older devices, which have been deprecated for a while now, for those devices like the iPhone 5, there is not a separate system, so in that case you could be able to [access data] quickly [without an unlock PIN].

[BitMaxz]

It's not really that big of a deal anyway... the jailbreak is "non-persistent" and is not an "untethered" jailbreak... so simply rebooting your device or switching it off and then on again removes the jailbreak and therefore any "non-signed" software (ie. malware) would cease to function... and it needs to be connected to another device to jailbreak it.

Yeah, your right but I heard other developers that they will use checkm8 as a starting point for creating an untethered jailbreak. Which could be possible in the future.
It is likely the same as other jailbreaking tool starts from releasing a tethered jailbreak before untethered jailbreak.

I also heard someone trying to develop a device with checkm8 where you can just connect it directly to your iPhone to boot the phone as jailbreak. So every time you reboot the phone the exploit will run as tethered jailbreak.

I can't find the source but this is what it looks like below.



For security reason, don't jailbreak your phone if you are planning to use your iDevices for crypto-wallets. 

[o_e_l_e_o]

I also heard someone trying to develop a device with checkm8 where you can just connect it directly to your iPhone to boot the phone as jailbreak. So every time you reboot the phone the exploit will run as tethered jailbreak.

I can't find the source but this is what it looks like below.

There was a thread on reddit here (https://www.reddit.com/r/jailbreak/comments/db8i2f/discussion_looking_for_team_members_in_jbcase/) discussing building first a USB dongle which users could use to jailbreak their device on the go, and if popular, then integrating it in to a phone case, which is a cool idea.

I wonder if it would be possible to combine this exploit with something like USBHarpoon or USBNinja - essentially hide the chip required for jailbreaking inside an otherwise normally functioning USB cable. Although that might be handy for users who want to jailbreak on the go, it would also pose an even bigger risk to using public charging points or shared cables.

[o_e_l_e_o]

But normally people don't turn off or reboot their devices without valid reason such as OS update or the battery out of power, which rarely happened.

True, but people also don't usually leave their device unsupervised in the hands of another person. I'm struggling to think of any time that that regularly happens outside of leaving your phone at a repair shop. And if you are handing your phone over to a stranger for a number of hours, then restarting it after you get it back is the very least of what you should be doing. The one time I put a phone in to have the screen repaired, I backed up all my data to my desktop, pulled the SD card and SIM, wiped the internal storage, factory reset it, and then filled the internal storage with junk data to overwrite everything that was on there. Once I got it back, I factory reset it again.

I appreciate I am a far more security conscious/careful/paranoid person than the general population, but restarting your phone should really be the bare minimum.

[HCP]

You can't fix stupid... but you can fix ignorance. Sadly, a lot of people just want to remain ignorant because it is "too hard" or "takes too much time" to educate themselves.

People like this are the same sort of people that put their passwords on post-its stuck to their monitor, or use their birthday as a PIN, or believe the "Microsoft has detected a virus on your computer" pop-ups. I highly doubt these people are using crypto (too hard etc)... and if they are, they've probably lost it already by putting their 12 word seed into "ClaimMyShitcoinFork.com"  A theoretical iPhone hack is the least of their problems.

[bob123]

But normally people don't turn off or reboot their devices without valid reason such as OS update or the battery out of power, which rarely happened.

Actually, i do reboot my mobile relatively often (like once per week).
For me there is a noticeable boost in performance when doing so since a lot of processes get terminated automatically, which i'd had to kill separately.

And once per month there is an update.

Note that i am not using an old mobile, neither the newest gen. Something in-between. And not an iOS, but android (which doesn't change anything regarding this topic).


But i agree with the majority of opinions here. This attack is more theoretical than practical.
And you shouldn't store more than pocket money on a mobile wallet anyways.

There are way more practical attacks on mobile wallets, than this one.