SN 736: CheckM8

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

1 Like

Re: the hacker, who studied reflections in victim’s eyes in her selfies: I’d love to see those calculations that allowed him to calculate her floor from the angle of a shadow… What precision can you get from that?

I listened to the podcast, was great. I wish had been a little less dismissive of the relationship of child exploitation as it relates to social network security & privacy. I understand that it probably was an appeal to sympathy for those who fear such exploitation though. I wish that there were a way we could trust government to reponsibly use the requested backdoors, but groan how can we rely on a bureaucracy that weaponizes IRS, uses secret courts & information based on sometimes false information, is so lax with the data it already has on all of us. And we should trust them to manage our healthcare & individual security?!

1 Like

Just a slight correction to Leo’s comment about Whatsapp not alerting users when a contact’s security code has changed. It does have this capability but is disabled by default. To enable notices of code changes, go to settings --> account --> security --> and toggle the “show security notifications” switch. Then you will get a bubble in your chat window whenever one of the contacts in that chat has changed their code.

The worrisome part is that among my contacts, their codes seem to change more frequently than I would have thought. I guess they are getting new phones more often than me. If you were really concerned about this, you could contact them and find out why it changed and re-confirm their new key, but if I am any measure of normal, this never happens. You just see the message that a key has changed and say, oh well.

I suspect offline child exploitation is a much bigger and far less investigated issue.

I like the new flavour as well. There’s far more to talk about than Microsoft.

sure, but no less devistating to those done online.

I hope Steve carries on keeping us informed of the latest ransomware attacks. This week’s Ryuk attack on Pitney Bowes has been very difficult for a lot of small businesses woldwide, who rely on their franking machines for postage. I’ve seen people saying the cost of switching to stamps is almost double, and not everyone has the cashflow to cope. I get the impression that PB probably had decent backups because the restoration of systems has proceeded at a steady pace, but it’s still meant that some non-US customers save been unable to use their franking machines for an entire week, because they depend on PB systems to transfer credit from their accounts into the machine.

An interesting detail from a tweet by a Pitney Bowes rep Gregg Zegras at

is that if you zoom into one of the pictures you can see that a PC appears to be be running a Norton Ghost restore.

Checking my post it looks like the Twitter link has failed to resolve properly, but if you take out the space in his name and stick a @ on the front it’s easy to find him on Twitter.


I believe Steve said on three occasions that the CheckM8 vulnerability doesn’t persist across reboots I understood this to mean some software run via the exploit couldn’t persist. At the end of the show, Leo persisted with the idea that some software could be installed permanently on an iOS s device and Steve agreed (acquiesced?). I thought iOS signing and sandboxing would make this moot. Which is the most correct interpretation?


CheckM8 is not persistent. But once a phone is jailbroken with CheckM8 any software can be installed on it. And that will persist.


Thanks Leo. I guess I thought there were checks on software (signing, etc) in iOS. But then I guess jailbreaking wouldn’t be a thing…

Maybe iOS software will have to be signed, like on MacOS. It would be pretty easy to implement through App Store, wouldn’t it? Not sure about the overhead on older Ax devices.

1 Like

My biggest issue is that the tech media covered CheckM8 for like a split second. Its an issue affecting maybe 80% of currently active iPhones and so like 30% of all of the world’s active smartphones (I’m approximating from stats I could find so please help me on these numbers). Its not patch-able, and it lends itself perfectly to border crossing searches, police state searches (like China and the Uyghurs), etc. I was hoping Steve or @Leo would call for people to upgrade as soon as possible and especially if you travel, but they didn’t. Its just not safe to use these older phones anymore especially if you travel.

I have other concerns about how secretive Apples discloses their security logs. I wish the security press would talk more about the lack of transparency. iOS may appear secure, but black market for these iDevice security issues appear to be huge at the state actor level. What do you all think?

I think the bits will persist if written, but I am unsure if the OS will load and execute them. I think the entire point of the jailbreak was to circumvent the OS checks on the integrity of apps as they’re loaded but before they get executed. The boot loader checks the OS, the OS checks the drivers and the apps. Without permanently changing the boot loader in ROM I don’t see a way to get a modified OS loaded, which means it will be difficult to get anything not approved by Apple loaded subsequently.

The one “hope” would be to get some sort of bad data loaded into an app with an unpatched flaw, but I doubt you would need a jailbreak for that.

My understanding is that each iOS device has a unique ID that is encoded into the OS. This means each OS image is unique to each device, so that it will be quite challenging to make something that applied universally to all devices that are not actively being used with a jailbreak.

What I wonder might happen is if someone can make a “fake tether” USB device. It could simulate a PC during the iOS boot and allow the device to apply a jailbreak on any given boot-up.


I just spent 10 minutes looking through news articles and I can’t determine if it would persist or not. This is a great example, one of the biggest non-fixable bugs in an iOS device to date… and we don’t even know if it would persist or not. WOW this just boggles my mind.

I’m with you about the uncertainty here and on the net. According to WWDC 2016 session 705, How iOS Security Really Works: “iOS code singing covers not just the OS, but every app that runs.” Isn’t the point of jailbreaking that you suspend this requirement? If the secure-boot process is restored after a restart/reboot then codesigning would be required again and such malware would not work–unless it had a valid Apple/Dev cert.

So far no one has addressed this in posts claiming persistence.

Although disappointed, I’m not surprised by the lack of info about this, considering both Apple and general aversions to vulnerability discussions