From the person/hacker/security researcher (@axi0mX) who discovered it:
During iOS 12 betas in summer 2018, Apple patched a critical use-after-free vulnerability in iBoot USB code. This vulnerability can only be triggered over USB and requires physical access. It cannot be exploited remotely. I am sure many researchers have seen that patch. That's how I discovered it. It is likely at least a couple other researchers were able to exploit this vulnerability after discovering the patch. The patch is easy to find, but the vulnerability is not trivial to exploit on most devices.
> why make it public?
A bootrom exploit for older devices makes iOS better for everyone. Jailbreakers and tweak developers will be able to jailbreak their phones on latest version, and they will not need to stay on older iOS versions waiting for a jailbreak. They will be safer. It will also be better for security researchers interested in Apple's Bug Bounty. They will not need to keep vulnerabilities on hand so that they have access they need for their research. More vulnerabilities might get reported to Apple right away.
iOS is such a walled garden that security researchers have a very difficult time gaining low level access on the phone. This has incentivized researchers to keep vulnerabilities they find for themselves rather than disclose them to Apple, so that they can use the vulnerabilities to gain the low level access needed for additional exploration. The Checkm8 author posits that by providing people this access via his exploit, researchers will submit their known vulnerabilities to Apple and make iOS safer.
Why do you believe that? Apple made quite a lot of news by refusing to unlock the iPhone 5C from the San Bernardino shooting. Helping nation state actors find vulnerabilities would be contrary to their previous actions.
Not really. Helping nation state (any) actors gain access to user data would be contrary to their previous actions. Helping experts research vulnerabilities is a calculated risk that the good guys will reveal bugs at a similar rate or faster than the bad guys, whilst also disincentivising the hoarding.
I don't understand. vuln seemed to be suggesting Apple would give pre-jailbroken devices to governments to find vulnerabilities with instead of giving them to established white hat researchers.
I don't see how that would help good guys reveal bugs.
I believe he meant in the future versions of iOS. Once this is public Apple can take the necessary steps to patch this on future products. If it wasn't published, then Apple would, guessing here, leave it as is for future products. My 2 cents.
Nintendo Switch suffered from a similar problem (usb bootrom exploit https://github.com/Qyriad/fusee-launcher/blob/master/report/...) and the company has been watching the homebrew and other communities closely to patch the entire exploit chain as people discover exploits. No doubt the OS and platform is a lot more secure thanks to the community
It means bug bounty hunters can jailbreak any version of their phone to turn it into a listening honeypot. Then they can take it to China, let the PRC re-exploit it, record the new exploit, then sell the exploit to Apple for $1 Million Dollars and retire in the Bahamas. You wouldn’t be able to turn your iPhone into a honeypot without this otherwise.
From the person/hacker/security researcher (@axi0mX) who discovered it:
During iOS 12 betas in summer 2018, Apple patched a critical use-after-free vulnerability in iBoot USB code. This vulnerability can only be triggered over USB and requires physical access. It cannot be exploited remotely. I am sure many researchers have seen that patch. That's how I discovered it. It is likely at least a couple other researchers were able to exploit this vulnerability after discovering the patch. The patch is easy to find, but the vulnerability is not trivial to exploit on most devices.
> why make it public?
A bootrom exploit for older devices makes iOS better for everyone. Jailbreakers and tweak developers will be able to jailbreak their phones on latest version, and they will not need to stay on older iOS versions waiting for a jailbreak. They will be safer. It will also be better for security researchers interested in Apple's Bug Bounty. They will not need to keep vulnerabilities on hand so that they have access they need for their research. More vulnerabilities might get reported to Apple right away.
Source: https://mobile.twitter.com/axi0mX/status/1177542201670168576...
I wonder if this is this vulnerability that a private company was exploiting for tools they provided to various law enforcement agencies?