Attackers start using iOS checkm8 jailbreak

Website claims to give iPhone users the ability to jailbreak their phones, instead plants malicious profile to conduct click-fraud

Days after the discovery of checkm8, a permanent unpatchable bootrom exploit that affects Apple devices from the iPhone 4s to iPhone X, researchers have found that attackers have started capitalising it.

A malicious actor has set up a website called checkrain, which claims to give iPhone users the ability to jailbreak their phones, found Cisco Talos Intelligence. However, this site just prompts users to download a malicious profile which allows the attacker to conduct click-fraud, said the Talos blog post.

Checkm8 is a vulnerability in the bootrom of some legacy iOS devices, which allows users to control the boot process. It affects all legacy models of the iPhone, from the 4S through the X.

The checkrain website specifically targets the users of these devices, said the Talos report.

If you visit the website using a desktop browser, it delivers the following error message:

"The website was only registered for three days when Talos discovered it. It’s now around six days old. It’s a very fresh malicious website," said Warren Mercer, technical leader at Cisco Talos.

axi0mX, the security researcher who found the flaw, explained on Github last month that the exploit could brick devices.

The checkrain campaign tries to capitalise off of checkra1n, a project that uses the checkm8 vulnerability to modify the bootrom and load a jailbroken image onto the iPhone. Checkm8 can be exploited with an open-source tool called "ipwndfu" developed by Axi0mX, said the Talos blog post.

However, neither checkM8 or checkra1n is the real concern, Mercer told SC Media UK.

"The problem here is that users are being coerced into installing malicious profiles that enable an attacker to form, in our case, a click fraud campaign. The user is impacted once they opt to install the malicious profile and then click on the fake checkra1n icon on their springboard," he explained.

The same technique could be used for more malicious and critical actions, said the Talos threat assessment. Instead of a "web clip" profile, the attackers could implant their own mobile device management (MDM) enrolment, it said.

"We identified several countries that could have fallen for this fake website. The main concentration was in the US, but with many other countries throughout the world being potentially targeted," said the blog post.

Talos had earlier noted similar iOS malicious MDM campaigns, such as a highly targeted one against select iPhones in India found in July 2018.

"We’ve seen a rash of vulnerabilities discovered in Apple’s iOS this month, which I hope starts putting to rest discussions of which operating system is more secure," commented OneSpan senior product marketing manager Sam Bakken.

"Checkm8 serves as the latest reminder that neither Android nor iOS will ever be 100% secure. Neither Apple nor Google can or will immediately fix each and every security issue brought to their attention, leaving users and the apps they install exposed," he said.

Cybereason chief security officer Sam Curry used the analogy of automobile recall to describe the potential damage caused by checkm8.

"As with cars that have a recall, anything can be fixed; but it gets expensive if this isn't planned early… Likewise, if every iPhone and iPad in the world could be bricked and wasn't patchable, Apple would have to start considering very expensive solutions," said Curry.

"Whether this is a car, mobile phone or an IoT device, it's time to toughen up, expect an attack and be ready for the countermove to the hackers’ move."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews