Two publicly available jailbreaks are currently roaming the Internet with checkra1n and unc0ver, casting a dark shadow over the security of the iOS platform. The checkra1n jailbreak is based on the checkm8 security hole, a hardware-supported exploit, which is why there is no way for Apple to detect the underlying vulnerability on the affected devices (iPhone 5s, 6, 6 Plus, 7, 7 Plus, 8, 8 Plus, iPhone X). The unc0ver jailbreak, in turn, is based on software exploits down to the iOS kernel. This affects all device models on which iOS 11.0 to 13.5 can be installed (from iPhone 5s, all iPad models). However, this jailbreak can no longer be used with iOS 13.5.1.
With these (and other) jailbreaks, users are able to bypass many of the restrictions implemented by Apple on their devices and to use “third-party” function-enhanced apps or OS features. The price for this extra freedom, however, is the loss of various protective devices of iOS that protect users from malware or data protection violations, for example. At the same time, this represents an enormous risk in a business context. At the moment, however, a far greater problem seems to be emerging in the firmament.
One of the major security enhancements Apple has introduced to its devices over the years is the Secure Enclave chip. This chip, also known as SEP (Secure Enclave Processor), is a security co-processor that encrypts and protects all sensitive data stored on the devices. It is important to note that while the secure enclave chip is built into the device, it is completely separate from the rest of the system. Every read / write access between memory and CPU is reliably encrypted by the Secure Enclave with AES-256-XEX (XTS). The Secure Enclave is not only responsible for encrypting the data streams, but also stores the associated keys and sensitive data such as passwords or Apple Pay credit cards. Even the mathematical derivations of TouchID and FaceID necessary for biometric identification (these do not allow back calculation to a real finger or a real face) are stored there. None of the previous jailbreaks could endanger the Secure Enclave or break into it – until now.
This is not the first time that people have claimed to have discovered a security gap in the Secure Enclave. In 2017, a group of hackers managed to decrypt the Secure Enclave firmware in order to investigate the functionality of the component. However, they were unable to get access to the private keys, so there was no real risk to the users.
Last month, however, members of the Pangu team claimed they had found a permanent vulnerability in this part of the chip, in the Secure Enclave itself. The exploit found in the process is said to be irreversible for Apple and lead to the encryption of the private security key being cracked. This means that the allegedly identified vulnerability is in the hardware and not in the software. Similar to checkm8, all iOS devices with an A7, A8, A9, A10 or A11 chip are affected.
The Secure Enclave (not to be confused with the Secure Element) is part of Apple’s A-Chip architecture. The SEP is isolated in the architecture with a hardware filter so that it cannot be accessed by the processor itself. It shares the RAM it uses with the processor, but part of this RAM (known as TZ0) is encrypted. The SEP itself is a 4MB AKF processor core that can be flashed with the SEPOS. The structure was documented by Apple in patent application 20130308838. The technology used and the internal structure is very similar to the TrustZone / SecurCore architecture from ARM. However, Apple would not be Apple if the SEP did not contain any proprietary code: Like the BOOTROM, this SEP chip also has an independent SPPROM for loading its own operating system (SEPOS) and the program code running on it.
Due to the special nature of ROM, however, it is a system built into the chip that is write-protected. And it is precisely this ROM that supposedly has the vulnerability. At a security conference, the Pangu team demonstrated how they exploited a flaw in the memory controller to manipulate the TZ0 register, which controls the range of SEP memory usage. If you are interested in more details, the slides of the lecture are now publicly available. How deep the access actually is, which attacks are possible with it, is currently not known. However, access can mean that access to passwords, credit cards and much more is possible. The data of many thousands / millions of iPhone, iPad and even Mac users could, if so, be at risk.
Even if nothing specific is known yet, one should be able to assume that this exploit also requires physical access to the device. The reason for this is that the content of the TZ0 register is locked after the boot process and cannot be changed. It can therefore be assumed as more than unlikely that someone can remotely exploit the exploit. The measures presented here, in particular disconnecting the USB interfaces, should (probably) also provide good protection for this exploit.
As far as the checkra1n jailbreak is concerned, the update to iOS / iPadOS 14, which will be available in autumn, will give companies some breathing space. The reason for this is probably that Apple has hidden many new internal protective measures there to make jailbreaking more difficult. Do not confuse checkra1n with the fundamental problem (exploit) under the name checkm8. This continues to exist in unchanged form. In addition, there is unofficially a functioning jailbreak for iOS / iPadOS 14. However, this will probably not be “officially” available before the end of the beta tests, so that Apple does not take countermeasures shortly before the end of the beta test. (mb)