The security researcher AxiOmX has found an iPhone exploit which is capable of giving hackers free access to millions of iOS devices.
The exploit is called “checkm8” and it affects every iOS device released between 2011 and 2017, including iPad, iPod Touch, Apple Watch, and Apple TV.
Checkm8 has the ability to permanently jailbreak devices, or to remove software restrictions imposed by Apple on iOS.
What the exploit does, is taking advantage of a security vulnerability in the initial code which runs first when an iOS device powers on.
Due to the fact that the vulnerability is found in the device’s read-only-memory (ROM) and not in the software, currently Apple is unable to fix the issue with an update.
The researcher AxiOmX explained that he found the exploit by reverse-engineering a patch Apple has launched last summer for the iOS 12 beta version.
According to AxiOmX, the “exploit for older devices makes iOS better for everyone” as it would let users run software far beyond what Apple has previously allowed.
In addition, the vulnerability would allow researchers to conduct a more extensive security analysis than what is available at this point.
Unfortunately, not everyone is convinced about that as some experts warn that the exploit could have major implications for iOS device security because it would let hackers install malware or stalkerware on it.
At the same time, law enforcement contractors and nation state attackers could also use the exploit for surveillance and device compromise purposes.
According to AxiOmX, at this point, the vulnerability can only be triggered over USB and ends when someone reboots the device, which means that it would unlikely be used by hackers. Although, the researcher said it is possible.
“It is possible that bad actors would use this, but I doubt it would be the first choice,” he told Wired.
“It requires physical access to the device and a reboot. But it could potentially be used by bad actors, say at border crossings or if devices are left unattended.”
Apple said that it will fix the issue in an upcoming software update, but didn’t reveal exactly when.