Nikias Bassen

Nikias Bassen

Talk Title:

The One Weird Trick SecureROM Hates, vol. 2

Abstract:

With the release of checkra1n, the jailbreak based on the checkm8 vulnerability, back in November 2019, millions of iOS devices have been jailbroken and will be jailbreakable for life due to the nature of the vulnerability. While the jailbreak tool was initially only released for macOS, the development continued by the checkra1n team to deliver a jailbreak tool on other platforms aswell, like Linux, Windows, and embedded systems with the natural hurdles of different sorts. In parallel to that, the development of pongoOS has begun, a modular tiny pre-boot execution environment for iOS devices, that will effectively take care of things like kernel patching and adding other functionality through additional modules.

This updated talk will give an update on the development progress of pongoOS, and also shine some light on the reasons of "wen eta" being so long for the non-macOS platforms.

Checkm8 is an unfixable vulnerability present in hundreds of millions of iPhones' SecureROM. This is a critical component in Apple's Secure Boot model and allows security researchers and jailbreakers alike to take full control over the application processor's execution.

This talk will detail how we built an iOS jailbreak from the ground up - quite literally - by using an use-after-free in Apple's SecureROM. This is key code which is designed to bring up the application processor during boot but also exposes a firmware update interface over USB called DFU.

By abusing this vulnerability it is possible to unlock full control of the application processor, including enabling debugging functionalities such as JTAG, helping security researchers look for security vulnerabilities in Apple devices more effectively. We will analyse the root-cause and techniques used for exploitation, as well mention some of the hurdles we encountered while trying to turn this into a reliable jailbreak and plans for the future of this project.

Bio:

Nikias Bassen (@pimskeks on Twitter) has been into reverse engineering for more than a decade. The breakthrough was back in 2011 when he joined the Chronic-Dev team to work on the iOS 5 + 5.1 jailbreaks. Ongoing research was focusing mostly on iOS, and in early 2013 he became part of the famous @evad3rs who released the evasi0n and evasi0n7 jailbreaks for iOS 6 and 7. He joined Zimperium zLabs (@zLabsProject) back in 2015 to continue his efforts in security research and reverse engineering targeting iOS. Back in 2018, he joined the mobile device virtualization company Corellium (@CorelliumHQ) as VP Platform & Security to focus on providing the next generation platform for security research and mobile development. Since 2019, Nikias is back at Zimperium zLabs (@zLabsProject) as VP of Product Security to handle research and implementation of next-generation threat detections on iOS. As part of the checkra1n development team (@checkra1n) he found his way back to his roots, working on the greates jailbreak of the past decade: checkra1n (https://checkra.in).

Nikias studied Computer Science at the University of Bremen, Germany, and holds a Diploma degree. He is also one of the masterminds and maintainer of the libimobiledevice project (https://libimobiledevice.org / https://github.com/libimobiledevice) – an open source implementation of the iOS device-computer communication protocols.

Copyright © 2019-20 | Nullcon India | International Security Conference | All Rights Reserved