The security researcher said: The vulnerability, which bears the name checkm8 – is at the root of the system, and gives attackers deep access to iOS devices at a level where it is impossible for Apple to prevent it, or fix it in a future software update. This could make it one of the most serious shortcomings in iPhone phones for years.
Axi0mX explained that this vulnerability takes advantage of a vulnerability of the initial code carried by the iPhone devices at startup. As it is “ROM”, so it is impossible to overwrite or repair by Apple via updates, so it will always exist. This is the first loophole of this type since the iPhone 4, launched a decade ago.
In another tweet, axi0mX said that it has announced the vulnerability to the public because “a vulnerability of this kind for older devices makes iOS better for everyone .. application developers will be able to break the protection phones of the latest version, and they will not need to stay on older iOS versions until they break their protection, so they will be safer.
The vulnerability affects hundreds of millions of iPhone phones, affecting any device from the iPhone 4S to the iPhone 8 and iPhone 10, but Apple seems to have corrected the gap in its A12 processor, which means that the iPhone 10S, iPhone 10R, iPhone 11r, and iPhone 11 Pro is safe.
More importantly, the vulnerability belongs to what protection breakers and application developers currently call a “restricted vulnerability”, which means it can only be exploited by USB. It must be activated every time through a computer, which limits the usefulness of a practical case of protection at the moment, and it can be benefited from its use if it turns into an “unrestricted vulnerability” .
However, if developers can use checkm8 as a starting point for iOS, the possibilities are almost endless, they will always give them broken devices and will not fix it because of Apple’s software updates, allowing them to do a lot of things.
There are also security concerns, those bad actors can use the vulnerability to bypass iCloud account locks, which are used to make lost or stolen devices useless, or install malicious versions of iOS that fly user information. While Apple can correct the gap for affected phones that are still sold, and the gap in the hundreds of millions of existing iPhones can not be fixed without replacing them.
This vulnerability is not the first to allow the protection of iPhone devices to break, as Apple repaired a security vulnerability a month ago for the second time after it was accidentally returned due to its security patch in one of the latest software updates.
The US company said at the time: The version 12.4.1 of the iOS system running on its mobile devices contains a security patch that Apple launched months ago in version 12.3, but the company canceled the fix by mistake, in version 12.4 that was launched last July.