Checkm8 exploit made a big buzz recently since it opened doors to forensically sound acquisition of multiple models of iOS devices. Belkasoft have implemented checkm8-based approach in its Belkasoft Evidence Center mobile and computer forensics tool.
In this article we would like to familiarize you with the terms that define the data acquisition process from an iPhone based on the checkm8 exploit.
AFU is an acronym for After First Unlock. It refers to the mode an iPhone is in when a user enters the correct passcode for the device after a reboot or power-on event.
In other words, when you restart or turn on your iPhone and then type in your passcode, your device ends up in the AFU mode.
AFU is a considerably less secured iPhone mode, especially when compared to BFU. Forensic toolkits enjoy more success when they are used to extract data from an iPhone in the AFU state because the files are not encrypted then.
Some extraction procedures employ fast brute force techniques (numerous cracking attempts) to access data on iPhones in the AFU state.
Belkasoft Evidence Center
Belkasoft Evidence Center is a popular all-in-one digital forensic product used by law enforcement agencies and security organizations all over the world. With this tool, investigators get to acquire, search, analyze, store, and share digital evidence extracted from computers, smartphones, and the cloud.
Belkasoft Evidence Center is one of the few tools that support iPhone acquisition through the checkm8 exploit on Windows. Since the release of v.9.9800 of this tool, it allows investigators to extract certain forms of information from an iPhone even when the device is locked and the password is not known.
BFU is an acronym for Before First Unlock. Before First Unlock refers to the mode an iPhone is in immediately after reboot or power-on when it is yet to be unlocked.
In other words, after you reboot or put on your iPhone, your iPhone enters BFU and it remains in that mode until you input your passcode.
Security experts consider BFU the most secure mode for an iPhone. The files inside an iPhone stay encrypted until a user fills in the required password, which (if correct) is used to decrypt its file system.
The description here is an oversimplification of the events that occur, but the ideas behind it are quite solid.
A bootloader is a program that runs to start the operating system when a device gets powered on. Such a program exists on all machines that use an operating system, regardless of the operating system version or build.
In iOS, iBoot is the bootloader that plays a vital role in the operating system’s secure chain. The latter is quite sensitive because it works to ensure that the low-level code in the OS is intact and only loads software signed by Apple.
Checkm8 is a SecureROM exploit that takes advantage of vulnerability in iOS devices to grant a user administrative (root) access to the device. It is an “unpatchable” vulnerability. It cannot be blocked because it exists inside the SecureROM of an iPhone. It is unaffected by software updates or changes in the iOS version running on a vulnerable device.
Checkra1n is a jailbreak process based on the checkm8 exploit. Some developers offer it as an application, which regular people can use to jailbreak to their devices.
Early checkra1n tools were built only for the macOS platform, so the procedure meant little to PC users.
DFU is an acronym for Device Firmware Update. It is the firmware update process associated with iPhones. The iPhone Device Firmware Update (DFU) allows users to make low-level changes to the software running on their smartphones.
In DFU mode, an iPhone gets to interact with iTunes, but the device does not load the operating system (iOS) or the boot loader does not come into play—and this is the major difference between DFU mode and the regular recovery mode.
DFU mode is targeted at advanced users such as phone recovery shops. Apple expects that such categories of people—who know precisely what they are doing—might need to access DFU mode on their iPhones to update or change the firmware on their device. Advanced users might perform such a task to troubleshoot things; some might do it for research purposes or as a part of a service they are providing.
Through DFU mode, it is possible to restore a bricked iPhone. If a device gets stuck in a loop after an iOS update or if its data falls to corruption, then the projected recovery mode will help.
The DFU mode also allows for downgrading of the firmware on iPhones. In certain scenarios, advanced users can take advantage of DFU mode to install custom firmware needed for a jailbreak or SIM unlock.
DFU cannot be removed or blocked because it is housed in the SecureROM, which exists inside the hardware. All iPhones support DFU but the method of getting them into DFU differs across the models.
The SecureROM houses the very first code the processor runs on power-on (or reset). The SecureROM is read-only.
It typically loads the next stage bootloader from a flash or USB (in DFU mode). The SecureROM then proceeds to verify the signature through the built-in cryptography implementation.
"Unpatchable" vulnerability refers to a security hole that cannot be closed by the installation of software or firmware updates. Such a vulnerability exists forever. For example, checkm8 is an "unpatchable" vulnerability.
Regular vulnerabilities (known ones) in iPhones cease to exist after the installation of updates. Apple patches up such vulnerabilities quickly because the holes exist in parts of applications (or code) that the operating system maker is able to modify or alter.
The checkm8 vulnerability, however, lies inside the SecureROM, so it will always remain unchanged in state or composition after software updates.
You can read Belkasoft articles on checkm8 and various other digital forensic issues at https://belkasoft.com/articles and, in particular, at https://belkasoft.com/checkm8. The difference between checkra1n and checkm8 is explained at https://belkasoft.com/belkasoft_vs_checkra1n.
The trial version of Belkasoft Evidence Center is available at https://belkasoft.com/trial
Request a quote at https://belkasoft.com/quote