New Discovery Unveils iPhone BootROM Vulnerability, Exposing Devices to Potential Risks
Researchers have uncovered a significant vulnerability in the BootROM of several iPhone models, specifically those powered by the Apple A12, S4/S5, and A13 systems-on-chips (SoCs). This flaw presents a potential threat, as it allows individuals with physical access to these devices to compromise their boot chain. The analysis was conducted by Paradigm Shift, a cybersecurity firm that has recently shared comprehensive insights about the vulnerability, which they have named "usbliter8."
The implications of this discovery are substantial, particularly because BootROM code is deemed immutable after the manufacturing process. This means that, unlike typical software flaws that can be rectified through operating system updates, this class of issue remains permanently embedded within the device once it has been produced. Such permanence raises alarms, as it poses a unique challenge for Apple and its users, particularly in an age where software vulnerabilities are often resolved swiftly through patches and updates.
The exploitation method described by Paradigm Shift requires a sophisticated setup. The proof-of-concept (PoC) that the researchers provided necessitates the use of Device Firmware Update (DFU) mode and RP2350-based microcontroller hardware. While this technical requirement might seem to limit the potential for widespread exploitation, it simultaneously accentuates the risk for devices that have been seized, stolen, or left unattended. Hence, users of such devices need to be vigilant about physical security.
Understanding the USB Vulnerability’s Connection to SecureROM
Paradigm Shift’s investigation led them to the Synopsys DesignWare USB controller, which is responsible for storing setup data. They discovered that this controller can hold a maximum of three setup packets. When a fourth packet arrives, it resets its direct memory access (DMA) pointer by a fixed amount, creating a vulnerability in the process. Furthermore, the controller is capable of accepting undersized packets, which are stored in increments of 4 bytes. This discrepancy allows the DMA pointer to move backward, ultimately causing an underflow primitive. As a result, static random-access memory (SRAM) utilized by SecureROM could be overwritten.
In their detailed findings, the researchers indicated that on Apple A12 and A13 SecureROMs, the Data Address Resolution Table (DART) configuration permitted this unusual DMA behavior to disrupt the application processor’s boot chain. The situation differs for the A11 chip, which is not susceptible in the same manner, as its USB driver resets the DMA address after each packet, effectively thwarting this potential exploitation route.
The Varied Impact Across Chip Generations
The researchers further elaborated on how the path to code execution changes based on the chip generation. For example, on the A12 and S4/S5 models, where SecureROM does not incorporate Pointer Authentication, the exploit enables code execution by corrupting the link register located on the stack. After gaining access, the researchers demonstrated a method to patch the boot process and return to DFU mode via a customized USB request handler.
Contrastingly, the A13 SoC necessitated a more intricate approach due to the protections offered by Pointer Authentication, which safeguards stack-stored return addresses. Paradigm Shift adeptly bypassed this protection through a series of tactics, which included heap manipulation, tampering with task states, and overwriting the interrupt handler.
The proof-of-concept currently supports a variety of devices:
- Apple A12 devices utilizing the targeted SecureROM path
- Apple S4/S5 systems vulnerable to the same exploit techniques
- Apple A13 devices after successfully navigating the Pointer Authentication constraints
- Features of DFU mode, which include demotion and enabling raw iBoot booting
It is noteworthy that newer chip models, such as the A14 and beyond, appear to have properly configured DART settings within SecureROM, effectively rendering this specific vulnerability unexploitable in those devices.
Final Thoughts
Paradigm Shift emphasized that the usbliter8 vulnerability does not directly compromise the Secure Enclave, a crucial security component in Apple devices. However, gaining BootROM-level control opens the door for broader attack vectors. Consequently, devices affected by this flaw—specifically the A12 and A13 models—will likely carry this security issue throughout their lifecycle. As a result, the most effective mitigation strategy is to consider upgrading to newer hardware, which offers enhanced security features and protections against such vulnerabilities. The discovery serves as a reminder of the ongoing security challenges that technology companies face, highlighting the need for continuous vigilance and improvement in device security protocols.