A security researcher has succeeded in decrying Apple’s new USB-C controller, which has been in the company’s smartphone since the iPhone 15. In the end of December, there was already a related talks in Hamburg in the previous Caos Communication Congress (38C3), Video about it It is now published. Thomas Roth aka Stackering, the founder of the security education company hextree.io, who specializes in iOS reverse engineering among other things, shows what the so -called Ace3 can do – and how it is potentially insecure.
Advertisement
TI chip adapted to Apple
The microcontroller actually comes from the Texas Instruments (TI), but was particularly adapted to Apple. In addition to the iPhone 15 in all four variants, it will also be in all the iPhone 16 models and soon the iPhone will also be in SE 4. Apple had earlier removed all iPhones with ownership lightening ports from the market due to the USB-C requirement of the European Union. Ace3 is usually known On Ace2 in MacBook Pro based. The Roth has already managed to install a permanent backdoor with its own MACOS kernel module (which, however, can be established only by administrators), which also avoids the entire system restoration processes.
However, with Ace3, it is no longer so “easily”. According to the security expert, Apple has implemented customized firmware updates per device, cutting the dibg interface and incorporating flash verification. In addition, parts of the firmware are missing. Roth had to work with various complex methods for reverse engineering, including RF side-channel analysis and electromagnetic fault injections, thus managed to enable code execution on Ace3 including ROM dump.
Complex reverse engineering
Complex reverse engineering reveals several possible access routes. Ace3 aims to keep a full USB stack and it connects with internal components such as SPMI bus and JTAG application processor. Nevertheless, the attacks submitted by Roth can be difficult to apply widely. But he himself is working on the required hardware costs below $ 100.
In his conversation, he also explains how Apple can prevent such attacks in the future and what the possibilities of new types of adventures in the future. However, all these should only work when an attacker has a device. Distance exploits – at least currently – are unimaginable.
(BSC)
