Upgrade Now: Bitcoin, Litecoin Wallets on Older iPhones May be Insecure
A Litecoin dev has raised an urgent need for users of older iPhones to upgrade their devices to avoid risking their private keys and cryptocurrencies to an exploit likened to a “ticking time bomb”. Loshan, who is also a moderator on Litecoin’s Reddit thread (goes by the username losh11) and vested with the authority to speak officially, claims “updating iOS will not help” the about 100,000 to 150,000 “more installs of loafwallet on iOS” they get going by LTC Foundation internal data – because the exploit is unpatchable. iPads released before 2019 could also be affected.
The ticking time bomb checkm8
The sound warning comes following a reported case of a vulnerability in “hundreds of millions of iOS devices” – ranging from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip) as well as the iPod Touch 5, 6 and 7 and every iPad from the iPad 2 to the iPad 7th generation – called checkm8, a permanent bootrom exploit that cannot be patched. The vulnerability claim was made by a security researcher nicknamed axi0mX, who is credited for the discovery of a bootrom exploit, alloc8.
1/ The last iOS device with a public bootrom exploit until today was iPhone 4, which was released in 2010. This is possibly the biggest news in iOS jailbreak community in years. I am releasing my exploit for free for the benefit of iOS jailbreak and security research community.
— axi0mX (@axi0mX) September 27, 2019
The checkm8 exploit, which can be accessed from DFU mode, was patched by Apple in summer 2018 during the iOS 12 beta phase and makes use of a UaF (use-after-free) vulnerability found in iBoot’s USB code. AxiomX tweets: “During iOS 12 betas in summer 2018, Apple patched a critical use-after-free vulnerability in iBoot USB code. This vulnerability can only be triggered over USB and requires physical access. It cannot be exploited remotely. I am sure many researchers have seen that patch.”
Let’s not spread FUD here, the compromise requires physical access to the phone and at this time is not exploitable remotely
— Mohsan (@Pwn__Star) September 27, 2019
FUD for crypto space or precaution?
The exploit’s not being able to be triggered remotely has raised questions on why it should not be made a security concern now especially in the crypto space where it could easily spark fears among users. While Loshan shares the view that all wallets including hardware wallets have flaws, the dev maintains that “people with older phones should be aware that there is an exploit that exist which could simply steal their seed.”
Adding on Reddit, Loshan writes:
“An exploit already exists but it unlikely to take place. Users should know about that right? Speculating about future threats isn’t spreading FUD but instead precautionary.
“…At the future an exploit can be discovered which allows this exploit to be carried out without having physical access to the device. It’s not like there haven’t been jailbreaks carried out through the web browser before… or what’s to say that apps installed through third-party stores like 25pp don’t contain software that can execute this…All we know is that this is a ticking time bomb which could infect millions of iPhones in the future at any time.
“This exploit defeats the entire security model of LoafWallet and many other mobile wallets. Maybe you feel panicked about that, but users should know such an issue exists. Personally I don’t feel safe storing bigger amounts of Litecoin (under $10K) on LoafWallet iPhone X anymore – and if I did want to walk with that much I would upgrade to an iPhone 11 Pro or another A12/A13 device.”