iOS Device Jailbreak Exploit is a Game Changer for Investigators — and Your Case.
Recent Breakthrough Enables Forensic Examiners Full File System Extraction for all iOS Devices Running A5 to A11 Chips.
Did you have a matter that involves an older model iPhone and you were told the contents were not accessible? The playing field has changed.
A recent iOS breakthrough happened when an access point was discovered that helps forensic examiners handle the complex challenges of a full file system extraction. Researchers who uncovered the flaw have dubbed it “Checkm8.”
So, what is "Checkm8" exactly?
Checkm8 is an exploit developed by the hacking community (with some help from Cellebrite) and is an unpatchable hardware exploit affecting almost every Apple iOS device released over the past decade. Utilizing the Checkm8 exploit allows a forensic examiner to perform the first full iOS jailbreak in almost 8 years. This exploit targets the physical read-only memory of Apple iOS devices, allowing exploit code to break out of the “jail” Apple has placed on their iOS devices, and allows for custom code execution.
This new jailbreak impacts all iOS devices running on A5 to A11 chipsets — chips in all Apple products released between 2011 and 2017, spanning eight generations of devices, from the iPhone 4S to iPhone 8 and X. It does not apply to the more recent iPhone XR/XS/11/Pro, but it can be used for iPads and Apple TVs with the same A5 to A11 chipsets, and is executable on all devices regardless of iOS version.
iOS devices that are vulnerable to Checkm8 include the following:
iPhone 5, iPhone 5C and iPhone 5S
iPhone 6, iPhone 6+
iPhone 6S and iPhone 6S+
iPhone 7 and iPhone 7+
iPhone 8 and iPhone 8+
iPads from the 2 up to the 7th generation
iPad Mini 2 and 3
iPad Air 1st and 2nd generation
iPad Pro 1st and 2nd generation
Apple Watch Series 1, Series 2, and Series 3
Apple TV 3rd generation and 4K
iPod Touch 5th generation to 7th generation
What does this mean for you and your case?
Checkm8 enables digital forensic examiners to gain access to iOS devices and extract more digital evidence than ever.
Utilizing the Checkm8 exploit allows digital examiners to extract data from iOS devices that were previously impossible. This includes deleted iMessage, SMS, and MMS messages, emails and end-to-end encrypted messages sent through various applications such as Telegraph, Signal, and WhatsApp – Messages you would otherwise not receive from a subpoena to Apple or the mobile carrier.
Furthermore, this provides access to the Apple Keychain, which includes stored passwords across all of the user’s devices. This data can provide vital information to investigators and your case.
Already completed a forensic examination on one of these iOS devices?
Even if you completed a previous forensic examination on one or more of these iOS devices, there may still be an opportunity for a skilled digital forensic examiner to provide new and relative content to your investigation.
Checkm8 allows examiners to find data previously hidden and unavailable to anyone without access to GrayKey which is a service offered to law enforcement only, shrouded in non-disclosure agreements. This free and open-source exploit levels the playing field and allows the private sector as well as criminal defense attorneys access to something previously reserved for a select group of law enforcement agencies: a full file system extraction for modern Apple iOS devices.
If you had a case or currently have a case that involves one of these iOS devices, Cornerstone Discovery can help. Checkm8 allows our certified digital forensic examiners to perform iOS full file system extractions on a wide range of iPhones and Apple devices.