New hack breaks open Apple's USB-C security

Jump to First Reply
Posted:
in iPhone edited January 13

A security researcher has worked out how to hack a proprietary USB-C controller used by Apple, an issue that could eventually lead to new iPhone jailbreaks and other security problems.

Hands holding a smartphone edge showing a charging port and speaker holes.
USB-C on an iPhone 15



As one of the more privacy and security-focused companies, Apple has become a prized target for hackers to beat. In one instance, it seems the iPhone's USB-C controller has become a risk factor.

Revealed at the 38th Chaos Communication Congress in December, with information only being revealed to the public in January, researcher Thomas Roth presented a demonstration of attacking the ACE3 USB-C controller.

The ACE3 USB-C controller is a key element, as it is in charge of recharging the device and handling data transfers. It first appeared in the iPhone 15 generation, managing the included USB-C port.

SiliconAngle reports Roth managed to reverse-engineer the controller, exposing its firmware and communication protocols. From there, he could reprogram the controller to perform acts, such as injecting malicious code and bypassing important security checks.

A somewhat limited intrusion



While the hack sounds like a massive issue, it's not really a problem for the vast majority of users. To achieve it, Roth relied on custom USB-C cables and devices, and needed clear physical access to the device to pull it off.

Though this would only be needed for initial access to the vulnerability, a compromised controller could be further manipulated without necessarily requiring such access.

The key is the need for physical access from the start, which rules out the attack being a danger to the vast majority of Apple users. This doesn't rule out its use maliciously against some people who may consider themselves targets of nation states and other major bad actors, but that is a very small number of people.

A more realistic use for the attack is for jailbreaks, as Cyber Security news adds. By compromising the controller, it could result in untethered jailbreaks with persistent firmware implants, which can keep the operating system compromised.

There is also the feasibility of it being a potentially easier jailbreak to keep active despite Apple's software efforts, simply because it's a hardware attack. That said, it would also limit the potential reach of a jailbreak technique due to the hardware required.

Apple has not yet commented on the researcher's demonstration nor its implications.



Read on AppleInsider

Comments

  • Reply 1 of 13
    While it might not be an issue for most people now, left unpatched, it could become a bigger problem later on, if someone can leverage already existing charging hacks.  So it's still a good idea to use only trusted cables and chargers.
    Alex1Nlam92103watto_cobra
     3Likes 0Dislikes 0Informatives
  • Reply 2 of 13
    Fred257fred257 Posts: 269member
    If it wasn’t for jailbreaking you wouldn’t have the iPhones control center. This is fact. More innovation has been done by jailbreakers for the iPhone. Of course it’s impossible now to do so. I remember having one jailbreak to be able to automatically play my music when connecting to my Bluetooth device in my car.  This was on an iPhone 3GS.  It’s only until the Apple App Shortcuts came out that you could do this. And Apple does not let you differentiate between the Music app that you want to use.  Android has apps that let you do this. Apple does not. at least for music
    gatorguygrandact73m4m40Mystakillwatto_cobra
     2Likes 1Dislike 2Informatives
  • Reply 3 of 13
    My usb-c port is usually filled with pocket lint and bubblegum as a security precaution. Isn’t everybody’s? 
    welshdoglam92103mdwbeowulfschmidtkkqd1337watto_cobramacgui
     5Likes 2Dislikes 0Informatives
  • Reply 4 of 13
    Thank the goddess we got rid of that horrific Lightning mess. 
    Mystakillkkqd1337watto_cobramacgui
     4Likes 0Dislikes 0Informatives
  • Reply 5 of 13
    I’m sure this will be good for police/FBI/DHS/CIA. A way to break into iPhones like GreyKey.
    watto_cobra
     0Likes 0Dislikes 1Informative
  • Reply 6 of 13
    Is the iPhone the only device using this controller?
    watto_cobra
     1Like 0Dislikes 0Informatives
  • Reply 7 of 13
    maltzmaltz Posts: 518member
    The bar is so high, it's not a problem for users unless they're facing nation state?  Yet, the bar is so low, it's feasible to use it as a jailbreak mechanism?  Those two things are completely contradictory.

    You realize that roommates probably have physical access to your phone for plenty of time to pull off this hack, while you're in the shower or asleep, say.  Not to mention stolen devices.  Mere physical access is not much of a barrier at all for most users to be vulnerable.  The specialized equipment required *might* be, but it sounds like it might not be, if jailbreaking is a likely use case.
    beowulfschmidtwatto_cobra
     2Likes 0Dislikes 0Informatives
  • Reply 8 of 13
    sflocalsflocal Posts: 6,150member
    Fred257 said:
    If it wasn’t for jailbreaking you wouldn’t have the iPhones control center. This is fact. 
    No, it’s not “fact”.  Just you making stuff up and hoping it passes as “fact”.

    Care to cite a source?  Don’t worry, we won’t wait.
    elijahgMystakillwilliamlondonwatto_cobramacgui
     4Likes 1Dislike 0Informatives
  • Reply 9 of 13
    Been saying this forever. USB-C is just a vulnerability waiting to be exploited, since it comes with it's own controller, which has access to the system internals. Including RAM and other hardware.
    appleinsideruserdewmekkqd1337watto_cobramacgui
     4Likes 0Dislikes 1Informative
  • Reply 10 of 13
    elijahgelijahg Posts: 2,876member
    lam92103 said:
    Been saying this forever. USB-C is just a vulnerability waiting to be exploited, since it comes with it's own controller, which has access to the system internals. Including RAM and other hardware.
    What, you mean like the Lightning USB 3.0 controller on iPad?
     0Likes 0Dislikes 0Informatives
  • Reply 11 of 13

    This USB-C "vulnerability" is what I call a "gun to my head" scenario. It's the equivalent of someone demanding access to my iPhone with a gun to my head, which is more likely a thing to happen than someone getting hold of my iPhone, and attempting to do this electromagnetic whatsit. 

    watto_cobra
     1Like 0Dislikes 0Informatives
  • Reply 12 of 13
    dewmedewme Posts: 5,873member
    Great work by Thomas Roth. Despite the obvious limitations to implementing the attack, stepping up to the bar when it comes to implementing a Defense in Depth Strategy requires closing as many holes as possible at all levels. It’s always possible that one hacker’s discoveries can influence other hackers to find other ways to exploit the same vulnerability or to apply a similar strategy to hack other parts of a system. 
    watto_cobramacgui
     2Likes 0Dislikes 0Informatives
  • Reply 13 of 13
    macguimacgui Posts: 2,510member
    Fred257 said:
    If it wasn’t for jailbreaking you wouldn’t have the iPhones control center. This is fact. More innovation has been done by jailbreakers for the iPhone. 
    I'm sure there's some truth to that though offered without any support "this is fact" rings pretty hollow.

    Apple and no doubt other companies have offered bounties for hackers acting as "white hats" discovering and reporting security vulnerabilities. Few companies want to advertise any patches generated at the behest of a discovery. "Fixes some security risks..." is the boiler plate.

    Black hats have probably been instrumental the same as burglars have been with their exploits causing manufacturers to create a multitude of security devices such as better locks with exotic keys, Lexan window treatments etc. YVMV.
     0Likes 0Dislikes 0Informatives
Sign In or Register to comment.