Apple's USB-C controller decrypted from the iPhone

A security researcher has succeeded in decrypting Apple's new USB-C controller, which has been used in the company's smartphones since the iPhone 15. There was already a corresponding talk at the last Chaos Communication Congress (38C3) in Hamburg at the end of December, the video of which has now been published. Thomas Roth, alias stacksmashing, founder of the security education company hextree.io, which specializes in iOS reverse engineering, shows what the so-called ACE3 can do – and how it is potentially vulnerable.

TI chip optimized for Apple

The microcontroller actually comes from Texas Instruments (TI), but has been specially adapted for Apple. In addition to the iPhone 15 in all four variants, it will also be found in all iPhone 16 models and soon in the upcoming iPhone SE 4. Apple had previously withdrawn all iPhones with a proprietary Lightning connector from the market due to the European Union's USB-C obligation. The ACE3 is generally known as it is based on the ACE2 in the MacBook Pro. Roth has already managed to install a persistent backdoor with his macOS kernel module (which, however, can only be installed by admins), which also survives complete system restore processes.

With ACE3, however, this is no longer so “easy”. According to the security expert, Apple has implemented customized firmware updates for each device, cut off the debug interface and installed flash validation. Parts of the firmware are also missing. Roth had to work with various complex methods for reverse engineering, including RF side-channel analyses and fault injection in an electromagnetic manner. In this way, he was able to enable code execution on the ACE3, including a ROM dump.

Complex reverse engineering

The complex reverse engineering reveals several potential access paths. The ACE3 is said to contain a fully fledged USB stack and connects to internal components such as the SPMI bus and the JTAG application processor. Nevertheless, it may be difficult to widely apply the attacks presented by Roth. However, he himself is working on reducing the necessary hardware costs to less than 100 US dollars.

In his talk, he also discusses how Apple could prevent such attacks in the future and what possibilities he sees for new exploits in the future. However, these are only likely to work if an attacker is in possession of the device. Remote exploits are – at least currently – not conceivable.

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.

Preisvergleiche immer laden Preisvergleich jetzt laden

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

(bsc)