Don't lose your iPhone. It can now be easily unlocked with Checkra1n

Saw a video recently where the guy shows ALL iPhones being UNLOCKED after application of Checkra1n.

Before if your phone was locked and you lost it, it was unusable unless the person could unlock it with the code. But now if you lose your iPhone up to iPhone Ex, it can be unlocked. And all your data on the phone, including those compromising photos, will be available to the finder as well! Be warned.

Apple’s boast about privacy is no longer true.

1 Like

Yowza. I was under the impression that checkrain was only a memory resident bypass and powering the phone off would clear it out… This seems to imply otherwise.

1 Like

Yup that’s true. Powering it off removes Checkrain. But the jailbreak is applied with the phone ON and the iCloud removal tool does the unlocking on the jailbroken iPhone, which was not possible before.

Also the cops don’t need anything other than these 2 tools to open any locked iPhone up to Ex. unlike before.

1 Like

I think CheckM8 was the memory resident one? Still requires supported iPhone - up to X. I have a Xs so this exploit will not work on that. There are not any mainstream outlets picking up on this yet - I don’t know the reliability of any of the sites I have found about this. See if Steve talks about this.

In the end, if you have lost your iPhone and cannot remember your iCloud password, immediately change your iCloud password and execute a remote wipe, and blacklist IMEI.

1 Like

Steve covered it in SN 740 & 741 and he mentioned a source at Ars Technica. There are a number of articles on it there, including this recent one:

To be fair, neither Steve nor Leo saw this as a particularly worrying exploit, although I don’t know if the unlocking video mentioned introduces any new exploit elements.

Well the question that I have, is that I was under the impression that the device was encrypted at rest. I assumed if you had a password on it, you needed to provide that password to get at the filesystem. This attack seems to make a mockery of that assumption.

…and all through the halls of the NSA, FBI and CIA the cheers were so loud people went deaf for several minutes.

Yes. That was always the case with previous jailbreaks. You had to unlock it and stop FindMyIphone before the JB but this is the boot rom exploit and as ARS. in their article said, hadn’t been done since George. With this JB, iCloud can be removed, so giving access to a LOCKED iPhone which previous JB’s could not do.

Neither Steve nor Leo nor most (including me) knew that this unlocking could happen.

I think you’re missing my point. If the data in the phone is encrypted at rest, then there is NO exploit possible, by any means, that doesn’t involve first having the key necessary to decrypt the data at rest. (Well minor asterisk to that, you could always wipe the data at rest and fully reset the phone.) This attack doesn’t just bypass the activation lock, it appears to show the contents of the phone. This means, effectively, the data is not encrypted at rest, or that the means to decrypt it at rest can be obtained without any input from the user, which means, in essence, the encryption is a sham.

On my Android phone… it starts to boot, and it cannot continue until I provide my user key… which is used to unlock the key for the data at rest. I presume, without great knowledge of the intricacies, that there is a boot partition which is unencrypted, but merely contains the boot logo and enough code to collect the necessary password, and then subsequently load the next step out of the encrypted storage.

I see what you mean. I am not sure whether the data is encrypted on the iphone or not.

I know that photos are not because you can access them from your PC even with the phone locked.
Also using a tool like iTools4 you can access, install apps, delete messages, books, photos and other data even with the activation lock on.

The video (and others like it) show the phone being “opened” and activated without the lock- pin simply by JB and then “removing” iCloud.
This was not possible before.

Encrypted at rest means that if the phone is turned off, they can’t get access to the data, but if it is turned on and had been initially unlocked at boot time, the data is available.

How do you think apps running in the background can get at the data and give you notifications?

The jailbreak let’s additional software to be loaded in the background, which can wait until the phone has been unlocked, then it can do what it likes, with system privileges.

Checkra1n itself is just a jailbreak, it is what a bad actor can piggyback onto the system that is the problem.


Well the implication of this, based on this thread title, was that the phone in the video was “lost” which would mean the person breaking in would not have the means to decrypt it from rest. If any old person could pick up any phone and decrypt its data, then encryption at rest is not in use, or is providing no benefit. The video does not show the user providing any PIN so the assumption I am left to make is that the phone will, if cracked in this way, unlock for anyone.

This is NOT how Android works.