The recently revealed Checkm8 vulnerability in iPhones has ignited the technical and mainstream press alike. Depending on who you believe, it is either the end of world or no big deal. As usual, the truth is somewhere in between.
But let’s backup slightly. What is the vulnerability?
At the end of September, a security researcher revealed an exploit that would allow any iPhone from the 4S to the X to be permanently jailbroken.
What made the revelation so shocking to many was that the vulnerability was unfixable. This is because it wasn’t in the operating system but in the unpatchable bootrom - the code that starts the phone and loads the operating system.
Now the reassuring bit, the vulnerability can only be exploited through the USB port. That means someone needs to physically attach a cable to your device, making a mass attack nearly impossible and limiting any exploitation to specialist use cases such as law enforcement trying to get through a device lock.
The Interesting Bit…
What’s interesting about Checkm8 is how security researcher axi0mx found the vulnerability.
As disclosed through Twitter, axi0mx compared new versions of the code with older versions. Changes – which they identify as a patch – are revealed through the comparison. As the functionality hasn’t changed, it isn’t too much of a leap of faith to assume they might be security fixes and worth further investigation.
That further investigation involved analysing the patch and the surrounding code to understand how it works. The reverse engineering resulted in the vulnerability being discovered.
While the vulnerability was found in a mobile phone, at Verimatrix we believe that similar “code diff” attacks will become increasingly prevalent in IoT and automotive industries. This is because, like the bootrom, code is compartmentalised making it easier to identify individual changes.
Code obfuscation becomes a strong defence against these attacks. That’s because obfuscation that can be seeded to produce different results on the same code base will ensure each version of the deployed software is always different. This stops individual patches standing out and being easily identified.
Obfuscation goes further. Its primarily use is to make code difficult to read. This means that even if an attacker identifies a patch, it is much harder for them to understand the objective of patch.
All of this is to say that in order to prevent the opponent’s check, it is imperative to implement a strong, seedable obfuscation operating across a range of platforms and devices from desktop through mobile to embedded devices such as IoT and those found in vehicles. We shouldn’t have to sacrifice too many pawns to keep our kings safe.
Click here to learn more about the code protection tools offered by Verimatrix and how they have been validated and proven to provide powerful application shielding technology. And stay tuned for another upcoming blog post on guarding against mobile app vulnerabilities.