Security toolkit tests Apple SoCs, finds vulnerability
Hardware security research on iPhones is notoriously difficult, say the researchers. The design of the devices effectively prevents people from seeing how the devices function internally.
“As a result,” says Gregor Haas, first author of a paper on the study and a recent master’s graduate from NC State, “it has been difficult or impossible for independent researchers to verify that Apple devices perform the way that Apple says they perform when it comes to security and privacy.”
However, a hardware vulnerability called “checkm8” uncovered in 2019 was found to affect several models of iPhone and is essentially an unpatchable flaw.
“We were able to use checkm8 to get a foothold at the most fundamental level of the device – when the system begins booting up, we can control the very first code to run on the machine,” says Haas. “With checkm8 as a starting point, we developed a suite of software tools that allows us to observe what’s happening across the device, to remove or control security measures that Apple has installed, and so on.”
Aydin Aysu, co-author of a paper on the work and an assistant professor of electrical and computer engineering at NC State adds, “This toolkit allows us to conduct a variety of fine-grained security experiments that have simply not been possible on Apple devices to this point.”
There are practical reasons for wanting to have third parties assess Apple’s security claims, say the researchers.
“A lot of people interact with Apple’s tech on a daily basis,” says Haas. “And the way Apple wants to use its platforms is changing all the time. At some point, there’s value in having independent verification that Apple’s technology is doing what Apple says it is doing, and that its security measures are sound.”
For example, the researchers wanted to know the extent to which attacks that have worked against hardware flaws in other devices might work against Apple devices. In fact, during a proof-of-concept demonstration of their toolkit, the researchers say they identified a previously unknown vulnerability, which they call an iTimed attack.
The vulnerability was found when the researchers reverse-engineered several key components of Apple’s hardware. The vulnerability falls under the category of so-called “cache timing side channel attacks,” and effectively allows a program to gain access to cryptographic keys used by one or more programs on an Apple device.
With the relevant keys, outside users would then be able to access whatever information the other affected program or programs on the device had access to.
“We haven’t seen evidence of this attack in the wild yet,” says Aysu, “but we have notified Apple of the vulnerability.”
The researchers say they are sharing much of the iTimed toolkit as an open-source resource for other security researchers.
“We also plan to use this suite of tools to explore other types of attacks,” says Aysu, “so that we can assess how secure these devices are and identify things we can do to reduce or eliminate these vulnerabilities moving forward.”
For more, see “iTimed: Cache Attacks on the Apple A10 Fusion SoC.”
iOS vulnerability endangers half a billion Apple users
New algorithms in security IP increase protection for IoT SoCs
Researchers find iOS vulnerability that crashes iPhones and iPads
Synopsys, Tortuga Logic partner on SoC security
Analog IP aids physical attack mitigation in low-power IoT SoCs