Checkm8 Implications on iOS DFIR, TFP0, #FreeTheSandbox, Apple, and Google

SHARE THIS ARTICLE

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

Thanks to Checkm8 – a bootrom vulnerability that exist on most iPhones/iPads (<A12), a generic method to bypass the iOS sandbox restrictions will be made public within days/weeks for all previous and future versions of iOS! An upcoming release of a generic capability to extract the filesystem of a suspected iOS devices will help to boost digital forensics investigations.

Which devices are vulnerable: almost every iPhone/iPad until iPhone X. 
Which devices are not vulnerable? iPhone Xs/Xr and 11/11Pro.

Notably, the release of checkm8 will help to enhance Digital Forensics and Incident Response (DFIR) on iPhone X (and all previous models) and make it easier to perform deep investigations compared to the newer models such as iPhone Xs / Xr / 11. Whilst iPhones running on A12+ chipsets benefit from a Pointer Authentication Code (PAC) security mitigation, which makes exploitation significantly harder, the inspectability of such devices remain to be a major challenge and is crucial for successful DFIR investigations when initial suspicion is raised.  

Furthermore, this vulnerability, amongst other capabilities, allows iPhone owners to modify boot arguments which, for example, can enable users to have an even safer iOS version than vanilla iOS.

When ZecOps started the #FreeTheSandbox initiative, we did not foresee a release of a bootrom exploit covering the latest production devices. Thanks to @axi0mX bootrom exploits have become a reality and changed the game. A number of experienced and reputable researchers (such as @qwertyoruiopz, @siguza and many other fine individuals) worked tirelessly to make use of checkm8 in order to set the iOS sandbox free (a.k.a Checkra1n). 

Soon it will be released publicly.

Implications to Apple & Google:

Since almost every iOS device is now susceptible to jailbreaking without requiring new exploit chains or bypassing mitigation techniques, it is time for Apple to rethink its sandboxing strategy and allow iOS users to freely inspect their devices including A12 and A13 devices without the need of a Local Privilege Escalation (LPE) exploit. 

Device vendors, such as Apple and Google, will soon realize that Checkm8-style unpatchable vulnerabilities are inevitable. Restricting sandbox policy against device owners does not make sense and only benefit attackers that oftentimes leverage the sandbox to avoid detection.

Notable case was Google Project Zero discovery of 14 vulnerabilities leveraged in-the-wild against any iOS visitors of certain websites whilst attackers didn’t even try to hide and executed their payloads from a tmp folder. Following Checkm8, many researchers will take a closer look at bootrom vulnerabilities. Since boot level vulnerabilities are unavoidable, and we would like to encourage Google & Apple to open-up Android/iOS for inspectability with the consent of end-users. This will enable to perform complete DFIR investigations without flashing a new image, slowing down time-critical investigations or tampering with attacks’ evidence. 

Should device-vendors decide to consider this, ZecOps will collaborate with each vendor to enumerate key things that would be important to enable mobile DFIR investigations. Furthermore, enabling users to inspect their devices does not increase device issues, on the contrary, organizations that permit CYOD policy would prefer devices that are inspectible, especially in the Defense / Government sectors.  

Update to ZecOps Task-For-Pwn-0 Project

Following this release, ZecOps decided that we should focus more on bootrom vulnerabilities for both iOS and Android. 

  • iOS Bootrom vulnerabilities for A12/A13: We’re willing to offer up to $250,000 bounties for A12 and A13 bootrom vulnerabilities. 
  • Android support: With this blog post, we are happy to announce that we are opening up our program for Android devices too. As a starting point, we’ll only examine Android boot-level bugs.
  • Existing LPEs on iOS 13+: Until we receive bootrom submissions, on iOS we’ll focus exclusively on LPEs for A12/A13 devices.

Other TFP0 Term & Updates

Disclosures / (non)-exclusivity / and other terms will be discussed with researchers at the time of the submission. Price for the bounty will be determined following an agreement on the terms.

Submissions

Send submissions to [email protected]. The public key is available at the bottom of this post.

It has been almost two months since we launched the program and so far it has been a great success, since it helps our DFIR investigations globally! More updates to this program will be provided soon, as it is continuously evolving. 

We would like to thank everyone who supports #FreeTheSandbox initiative and hope that soon we will all be allowed to inspect devices we purchased without the need to break into them.

If you wish to analyze suspected devices – please contact us here [email protected]

The ZecOps TFP0 Team

Bonus

If you read all the way till here – here’s a bonus:
To receive #FreeTheSandbox stickers delivered to you, fill this form

[email protected] public key below:

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBF10tjEBEACmA+pD/zl9N2Cm68mpiCK+GC4asJT7RquWhfC0FKeidbkq
HgQ3eifceqJvoI4v0/Qy6VU0gcwabjv/WUC9qtzvmnVqM5zK1ye1orNKSvy8
ub2VtBDjs9edCaijrOqQsoDkzRpTE1Tkb9wVO5btcPWcgq2R6fWLXytOfnAS
X9cMORRGIvMAI3sZz6CgL+NV/FtikyK0KpSSt+ytMkQw0OmFzO69omg1G9vz
40d5NywDgQbs6YvneqSXewATmAVScznn9yJuf/eRCarc3rpLrHY4P5QrxvKM
XWI/NQT5FgvRMk+AHtCUAxnBGHXVbIXVNdB/ZAVi6BDXm7K/SFt302uf8xSA
T5bVYgp6Occ1FknNNdbXVTF1UF/gx62knX99ev/I62VgrS+W4Ebirm/dNdBK
bMkJPKmDWHsxdBA2VsQ6nA45InUBeF0qawxCej0oKlHM5RYxgSfHNDcKuJiE
/5T7QTuGdiXo+BvqWl+Le/lN48vGex4aHijc9N8KhfUC+lQicmSd2v5Jk7zf
xUPnbrGbcHPqQghTz60J7vJt/3Ti31r7KfcZP+zHtYoXJbCuMhdRpu0kUJeB
+D9JuA8Aex2GT1ve7oGrPlOVyDDzRBG7G2sZIBTVPygWnyZb+b5uj36NB8As
435g9i43Zz++GbX2/SW8TH/Hh5gzCWtfZEY0sQARAQABzSZ0YXNrX2Zvcl9w
d24gPHRhc2tfZm9yX3B3bkB6ZWNvcHMuY29tPsLBdQQQAQgAHwUCXXS2MQYL
CQcIAwIEFQgKAgMWAgECGQECGwMCHgEACgkQivAJ+AyukvavIQ//ZlWYwVOY
EE7s3Q2yuhdYH4SPalYEBFU/aW60ARVqV09tdIRQ/8syUZmaPhLVJYZGoMUq
/c6Jzh5e9ewl0YMkFB2CzCogODndl93OHV6wFheG/fDTtph7a9llPfsEd12e
WCxlBPh7cc713GTbaXut/iVqiPewEGb7PVnviHyeAmzucMLzfkl+DuENaVyB
A2Vwz2AKpvwIywRvBokwEp3UcDpGJp2NUq4bItyNbEtsZJkaDNdCgpt0xcaa
N4uRGAv7kju0WTunxVGK0G9tOteSO3YA2t3FA6qdkVOj7tAL2sZgPRM3s4Xw
mMriYcg3h6e18OO/r3BfWNaqN3lv3JCzuqCv8k2HLJ4rJXohkIE+NTpRSNxR
jkQ3u+2k8Moo3czZphep8cG+X/4yHftm0bupkhEzmv/EcqM7s1LtqTFOudAc
uep5PJH4IHs2RH/uD6Dzz3kQnKXaXw9P4fVPn0G0T7HIQusoDYwkKZmImlUw
ksJyj81N/SHhdWP0p/GnZua4tcLV55qUSHed+/vW7y3HuBJCa8qLQ3+KbszX
albgH0FN/ru966nECitABZm01gt8bn/IGKgXWTXqzcLESwCC45xB/r5CL3SL
X+5SMKwCW3q3IFfpW8QZAVJpEENtL8gEpg8f4FJQZdctJ25KGH6worON/D2D
VEQHn6Qe4/t3RIDOwU0EXXS2MQEQAMGIGNPCIF2Ao5FQ6iZx+cidsXTXu6KY
ZCHWqcFkNJC16cLrnYh+q85hmWajaFohF6//zl2UtBDrGfHVHNBnEQys2bMQ
gPUAFCHNpRxf8CXzDjS2VBACoj9RSEulMh9QPhbOLEzbv47s1v7d64Ug/5n2
3e1RFQtD80bVMgWatXZ0cqQ6BnewWxoZlOOv1kdwiV+RTj2wwKsUDIRN77x4
9iYefvbQczdgs1rgj7sd2L6bA1m6nea0FZ8+Syg2RofnW9XnkexWYmTMqQhr
JR+Yb7hTNLtPTwFj5KNjjTLJGEVRiAxy7bGiEXqTW8VQ7nyM5Tvv5ivsr1iu
f9oYql6nimrpG35LRriski3hwBMsZyCYl5YbpwCzem8JuZDC1+Dmevsp5D/6
hPLE0wAeHpwFcesrlWwhiWDi8x0HB6DrtrQZCuHr1e3iCwzWPbO8nu9mfhjY
sioPrNQm5GYpcbp4zoPxwNZ/DSJzRuLsJEfszGb/2ixL8zpyNzqWbUJqbh0G
Jv4uR2/HJNh+59sB04pe2qruRhiE5rNzHmTWiI9FWhla0BUFpqzufeNS31GE
j3JL04FJU69Nom/jSa7LcnF4Q5pASIt2iZVncmu4A2Er03jWD8MlR/vVJZfG
J+yZBLYcjiAcjMbeLN+0hbYwbxzbprXhWNlJJFmbrTuJ6zZYbf1pABEBAAHC
wV8EGAEIAAkFAl10tjECGwwACgkQivAJ+Ayukvb0pw//ZMiWOeava3SfF1Tc
CV41hlqYXcDluGhMBHVQNHNKA7Y9fOpl7fO0W1GuIU6v7USwKyGg3UbJdh7l
vDcaUaAxhVL4NqLJURsVVKvaW6GkcFGCCtTjoFxvrDHRMQM1kJWZgPG7/ON6
MR0848tHMG/6gjvA5geJtOWPBaIBrkMRQBJ2bzhElTuhKIjTHPTxxs0VdmzV
SwHD+/SuWMEEXK6EOVRLUlTgPgPDS2MrR+m4ShG9Ec1gXz5EwJe3pre5QzB3
1x8BqQbwL/TwQCitxt+RrAqmliMAD7D5U5AIoi8vR9Xye1+zevrAvlbq+IkU
eCfr7H2LAMTYaXP5MBEtaKv3do1qP8Nl59FxjElT1zGOPz+sgejrjbHOEQRh
7Uk+TaTPtQkzoHmT1RUjWYycf5oJb8THOAid/PrgtJZkGTBiCOrSQghRP9CY
Z5/0DRODKXef5VwYveNtyCEb4BAS4wW7+xLXwkyoabjrcYB7GUDi2kyJOjZF
APujWl1sSAki6hyzorvLhJP56Ps/h21DAaLUoJgUQ+6c4P01grniniw2Ml0W
YEyp/GVyBw/aQPoDG4Lc6USSXEHj++Wd+ffxJ+K6aCroHcpPW4drKRVzxBL/
6XVguPc+UJ1egyP9oa9u0J5lGdBcE9mhRVhCNNujrcRhsvvgLL+Ca079PTCq
nuIgwms=
=WWrF
-----END PGP PUBLIC KEY BLOCK-----

reverse bounty

Researcher? Analyst?

If you get excited about exploits reproduction like we do, you would love ZecOps Reverse Bounty program - details ahead!

Join Reverse Bounty™ >

Partners, Resellers, Distributors and Innovative Security Teams

We’re still in stealth mode, but… we are already working with leading organizations globally. If you wish to learn more about what we do and what fresh vibes we bring to defensive cyber security, let’s get in touch

Contact Us >

SHARE THIS ARTICLE

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn