Researcher Discovers Method for Exploiting Boot ROM in Several iPhone Models

Sean Gallagher, Ars Technica:

Today, an iOS security researcher who earlier developed software to “jailbreak” older Apple iOS devices posted a new software tool that he claims uses a “permanent unpatchable bootrom exploit” that could bypass boot security for millions of Apple devices, from the iPhone 4S to the iPhone X. The developer, who goes by axi0mX on Twitter and GitHub, posted via Twitter, “This is possibly the biggest news in iOS jailbreak community in years. I am releasing my exploit for free for the benefit of iOS jailbreak and security research community.”


It’s possible that this exploit has been found by other researchers and is already in use, especially via tools used by intelligence and law enforcement agencies, such as GreyShift’s GreyKey. Many of these tools use proprietary hardware to collect data off iOS devices.

Ryan Stortz, writing on the Trail of Bits blog:

We strongly urge all journalists, activists, and politicians to upgrade to an iPhone that was released in the past two years with an A12 or higher CPU. All other devices, including models that are still sold — like the iPhone 8, are vulnerable to this exploit. Regardless of your device, we also recommend an alphanumeric passcode, rather than a 6-digit numeric passcode. A strong alphanumeric passcode will protect the data on your phone from this and similar attacks.

The bad news is that A11-and-older iPhone models — and their iPad and iPod Touch equivalents — are vulnerable to this exploit. Because this vulnerability exists in boot ROM, it reportedly cannot be patched in a software update and it’s extremely powerful.

But it requires hardware access to a device; your iPhone cannot be breached through a remote attack, and someone would need to connect it to another device. It also resets itself every time the phone is rebooted, and the Secure Enclave is not at risk through this vulnerability. Finally, it is overwhelmingly unlikely an average person’s phone would be at risk of someone actually using this exploit against it. The categories of possible victims are more-or-less how Stortz describes them: public figures, politicians, judges, journalists, activists, and spies.

Regardless, this exploit is both worrisome because of the impossibility of patching it, and deeply impressive.

A unique complicating risk factor of late is that someone wishing to exfiltrate lots of data about you need not breach your phone, specifically. If you’re using cloud services to keep your devices in sync, they could breach — for example — your iPad while your iPhone remains untouched.