Thanks to Checkm8 – a bootrom vulnerability that exist on most iPhones/iPads (<A12), a generic method to bypass the iOS sandbox restrictions will be made public within days/weeks for all previous and future versions of iOS! An upcoming release of a generic capability to extract the filesystem of a suspected iOS devices will help to boost digital forensics investigations.
Which devices are vulnerable: almost every iPhone/iPad until iPhone X.
Which devices are not vulnerable? iPhone Xs/Xr and 11/11Pro.
Notably, the release of checkm8 will help to enhance Digital Forensics and Incident Response (DFIR) on iPhone X (and all previous models) and make it easier to perform deep investigations compared to the newer models such as iPhone Xs / Xr / 11. Whilst iPhones running on A12+ chipsets benefit from a Pointer Authentication Code (PAC) security mitigation, which makes exploitation significantly harder, the inspectability of such devices remain to be a major challenge and is crucial for successful DFIR investigations when initial suspicion is raised.
Furthermore, this vulnerability, amongst other capabilities, allows iPhone owners to modify boot arguments which, for example, can enable users to have an even safer iOS version than vanilla iOS.
When ZecOps started the #FreeTheSandbox initiative, we did not foresee a release of a bootrom exploit covering the latest production devices. Thanks to @axi0mX bootrom exploits have become a reality and changed the game. A number of experienced and reputable researchers (such as @qwertyoruiopz, @siguza and many other fine individuals) worked tirelessly to make use of checkm8 in order to set the iOS sandbox free (a.k.a Checkra1n).
Soon it will be released publicly.
Implications to Apple & Google:
Since almost every iOS device is now susceptible to jailbreaking without requiring new exploit chains or bypassing mitigation techniques, it is time for Apple to rethink its sandboxing strategy and allow iOS users to freely inspect their devices including A12 and A13 devices without the need of a Local Privilege Escalation (LPE) exploit.
Device vendors, such as Apple and Google, will soon realize that Checkm8-style unpatchable vulnerabilities are inevitable. Restricting sandbox policy against device owners does not make sense and only benefit attackers that oftentimes leverage the sandbox to avoid detection.
Notable case was Google Project Zero discovery of 14 vulnerabilities leveraged in-the-wild against any iOS visitors of certain websites whilst attackers didn’t even try to hide and executed their payloads from a tmp folder. Following Checkm8, many researchers will take a closer look at bootrom vulnerabilities. Since boot level vulnerabilities are unavoidable, and we would like to encourage Google & Apple to open-up Android/iOS for inspectability with the consent of end-users. This will enable to perform complete DFIR investigations without flashing a new image, slowing down time-critical investigations or tampering with attacks’ evidence.
Should device-vendors decide to consider this, ZecOps will collaborate with each vendor to enumerate key things that would be important to enable mobile DFIR investigations. Furthermore, enabling users to inspect their devices does not increase device issues, on the contrary, organizations that permit CYOD policy would prefer devices that are inspectible, especially in the Defense / Government sectors.
Update to ZecOps Task-For-Pwn-0 Project
Following this release, ZecOps decided that we should focus more on bootrom vulnerabilities for both iOS and Android.
- iOS Bootrom vulnerabilities for A12/A13: We’re willing to offer up to $250,000 bounties for A12 and A13 bootrom vulnerabilities.
- Android support: With this blog post, we are happy to announce that we are opening up our program for Android devices too. As a starting point, we’ll only examine Android boot-level bugs.
- Existing LPEs on iOS 13+: Until we receive bootrom submissions, on iOS we’ll focus exclusively on LPEs for A12/A13 devices.
Other TFP0 Term & Updates
Disclosures / (non)-exclusivity / and other terms will be discussed with researchers at the time of the submission. Price for the bounty will be determined following an agreement on the terms.
Send submissions to [email protected]. The public key is available at the bottom of this post.
It has been almost two months since we launched the program and so far it has been a great success, since it helps our DFIR investigations globally! More updates to this program will be provided soon, as it is continuously evolving.
We would like to thank everyone who supports #FreeTheSandbox initiative and hope that soon we will all be allowed to inspect devices we purchased without the need to break into them.
If you wish to analyze suspected devices – please contact us here [email protected]
The ZecOps TFP0 Team
If you read all the way till here – here’s a bonus:
To receive #FreeTheSandbox stickers delivered to you, fill this form
-----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBF10tjEBEACmA+pD/zl9N2Cm68mpiCK+GC4asJT7RquWhfC0FKeidbkq HgQ3eifceqJvoI4v0/Qy6VU0gcwabjv/WUC9qtzvmnVqM5zK1ye1orNKSvy8 ub2VtBDjs9edCaijrOqQsoDkzRpTE1Tkb9wVO5btcPWcgq2R6fWLXytOfnAS X9cMORRGIvMAI3sZz6CgL+NV/FtikyK0KpSSt+ytMkQw0OmFzO69omg1G9vz 40d5NywDgQbs6YvneqSXewATmAVScznn9yJuf/eRCarc3rpLrHY4P5QrxvKM XWI/NQT5FgvRMk+AHtCUAxnBGHXVbIXVNdB/ZAVi6BDXm7K/SFt302uf8xSA T5bVYgp6Occ1FknNNdbXVTF1UF/gx62knX99ev/I62VgrS+W4Ebirm/dNdBK bMkJPKmDWHsxdBA2VsQ6nA45InUBeF0qawxCej0oKlHM5RYxgSfHNDcKuJiE /5T7QTuGdiXo+BvqWl+Le/lN48vGex4aHijc9N8KhfUC+lQicmSd2v5Jk7zf xUPnbrGbcHPqQghTz60J7vJt/3Ti31r7KfcZP+zHtYoXJbCuMhdRpu0kUJeB +D9JuA8Aex2GT1ve7oGrPlOVyDDzRBG7G2sZIBTVPygWnyZb+b5uj36NB8As 435g9i43Zz++GbX2/SW8TH/Hh5gzCWtfZEY0sQARAQABzSZ0YXNrX2Zvcl9w d24gPHRhc2tfZm9yX3B3bkB6ZWNvcHMuY29tPsLBdQQQAQgAHwUCXXS2MQYL CQcIAwIEFQgKAgMWAgECGQECGwMCHgEACgkQivAJ+AyukvavIQ//ZlWYwVOY EE7s3Q2yuhdYH4SPalYEBFU/aW60ARVqV09tdIRQ/8syUZmaPhLVJYZGoMUq /c6Jzh5e9ewl0YMkFB2CzCogODndl93OHV6wFheG/fDTtph7a9llPfsEd12e WCxlBPh7cc713GTbaXut/iVqiPewEGb7PVnviHyeAmzucMLzfkl+DuENaVyB A2Vwz2AKpvwIywRvBokwEp3UcDpGJp2NUq4bItyNbEtsZJkaDNdCgpt0xcaa N4uRGAv7kju0WTunxVGK0G9tOteSO3YA2t3FA6qdkVOj7tAL2sZgPRM3s4Xw mMriYcg3h6e18OO/r3BfWNaqN3lv3JCzuqCv8k2HLJ4rJXohkIE+NTpRSNxR jkQ3u+2k8Moo3czZphep8cG+X/4yHftm0bupkhEzmv/EcqM7s1LtqTFOudAc uep5PJH4IHs2RH/uD6Dzz3kQnKXaXw9P4fVPn0G0T7HIQusoDYwkKZmImlUw ksJyj81N/SHhdWP0p/GnZua4tcLV55qUSHed+/vW7y3HuBJCa8qLQ3+KbszX albgH0FN/ru966nECitABZm01gt8bn/IGKgXWTXqzcLESwCC45xB/r5CL3SL X+5SMKwCW3q3IFfpW8QZAVJpEENtL8gEpg8f4FJQZdctJ25KGH6worON/D2D VEQHn6Qe4/t3RIDOwU0EXXS2MQEQAMGIGNPCIF2Ao5FQ6iZx+cidsXTXu6KY ZCHWqcFkNJC16cLrnYh+q85hmWajaFohF6//zl2UtBDrGfHVHNBnEQys2bMQ gPUAFCHNpRxf8CXzDjS2VBACoj9RSEulMh9QPhbOLEzbv47s1v7d64Ug/5n2 3e1RFQtD80bVMgWatXZ0cqQ6BnewWxoZlOOv1kdwiV+RTj2wwKsUDIRN77x4 9iYefvbQczdgs1rgj7sd2L6bA1m6nea0FZ8+Syg2RofnW9XnkexWYmTMqQhr JR+Yb7hTNLtPTwFj5KNjjTLJGEVRiAxy7bGiEXqTW8VQ7nyM5Tvv5ivsr1iu f9oYql6nimrpG35LRriski3hwBMsZyCYl5YbpwCzem8JuZDC1+Dmevsp5D/6 hPLE0wAeHpwFcesrlWwhiWDi8x0HB6DrtrQZCuHr1e3iCwzWPbO8nu9mfhjY sioPrNQm5GYpcbp4zoPxwNZ/DSJzRuLsJEfszGb/2ixL8zpyNzqWbUJqbh0G Jv4uR2/HJNh+59sB04pe2qruRhiE5rNzHmTWiI9FWhla0BUFpqzufeNS31GE j3JL04FJU69Nom/jSa7LcnF4Q5pASIt2iZVncmu4A2Er03jWD8MlR/vVJZfG J+yZBLYcjiAcjMbeLN+0hbYwbxzbprXhWNlJJFmbrTuJ6zZYbf1pABEBAAHC wV8EGAEIAAkFAl10tjECGwwACgkQivAJ+Ayukvb0pw//ZMiWOeava3SfF1Tc CV41hlqYXcDluGhMBHVQNHNKA7Y9fOpl7fO0W1GuIU6v7USwKyGg3UbJdh7l vDcaUaAxhVL4NqLJURsVVKvaW6GkcFGCCtTjoFxvrDHRMQM1kJWZgPG7/ON6 MR0848tHMG/6gjvA5geJtOWPBaIBrkMRQBJ2bzhElTuhKIjTHPTxxs0VdmzV SwHD+/SuWMEEXK6EOVRLUlTgPgPDS2MrR+m4ShG9Ec1gXz5EwJe3pre5QzB3 1x8BqQbwL/TwQCitxt+RrAqmliMAD7D5U5AIoi8vR9Xye1+zevrAvlbq+IkU eCfr7H2LAMTYaXP5MBEtaKv3do1qP8Nl59FxjElT1zGOPz+sgejrjbHOEQRh 7Uk+TaTPtQkzoHmT1RUjWYycf5oJb8THOAid/PrgtJZkGTBiCOrSQghRP9CY Z5/0DRODKXef5VwYveNtyCEb4BAS4wW7+xLXwkyoabjrcYB7GUDi2kyJOjZF APujWl1sSAki6hyzorvLhJP56Ps/h21DAaLUoJgUQ+6c4P01grniniw2Ml0W YEyp/GVyBw/aQPoDG4Lc6USSXEHj++Wd+ffxJ+K6aCroHcpPW4drKRVzxBL/ 6XVguPc+UJ1egyP9oa9u0J5lGdBcE9mhRVhCNNujrcRhsvvgLL+Ca079PTCq nuIgwms= =WWrF -----END PGP PUBLIC KEY BLOCK-----