A trio of researchers at North Carolina State University (NC State) have released what they describe as a “novel research toolkit” for Apple’s iDevices – and to prove its functionality, have disclosed side-channel attacks against the company’s A10 Fusion system-on-chip.
“A lot of people interact with Apple’s tech on a daily basis,” first author Gregor Haas, a master’s graduate from NC State, explained in a statement pointing out the obvious. “And the way Apple wants to use its platforms is changing all the time. At some point, there’s value in having independent verification that Apple’s technology is doing what Apple says it is doing, and that its security measures are sound.”
Openc8… is applicable to a range of iPhone models all the way up to the iPhone X – though the research paper focuses on its use in the iTimed toolkit to audit and attack the Apple A10 Fusion chip inside an iPhone 7
“For example, we want to know the extent to which attacks that have worked against hardware flaws in other devices might work against Apple devices,” added co-author and assistant professor of electrical and computer engineering Aydin Aysu.
The difficulty: what the researchers described as an “‘It Just Works’ design philosophy” which is “based on tight vertical integration and hiding their devices’ underlying complexities from both users and application programmers.”
The solution: A toolkit dubbed iTimed, which builds atop an open-source reimplementation of the “unpatchable” checkm8 boot ROM vulnerability first disclosed back in September 2019. “With checkm8 as a starting point,” Haas explained, “we developed a suite of software tools that allows us to observe what’s happening across the device, to remove or control security measures that Apple has installed, and so on.”
The trio’s – Seetal Potluri was the third researcher – checkm8 reimplementation, which brings with it a range of claimed improvements, is dubbed openc8, and is applicable to a range of iPhone models all the way up to the iPhone X – though the research paper focuses on its use in the iTimed toolkit to audit and attack the Apple A10 Fusion chip inside an iPhone 7.
“When this project began in 2019,” the researchers explained, “the iPhone 7 was the most common Apple mobile device in the consumer market [and] it is still commonly used with over 80 million sold.”
When The Reg asked about applicability to more modern SoCs, Haas said it could be done with “some minor reverse-engineering effort.” He added: “openc8 relies on the checkm8 exploit, which was released about two years ago by anonymous iOS security researcher axi0mX. This exploit works on iPhones containing the A5 through A11 SoCs, so our toolkit can be used to research any of these devices as well.”
Using openc8 and a custom hardware interface built around an Arduino microcontroller, the team was able to boot arbitrary code on the target device – and begin the process of reverse-engineering the hardware. For this, the team focused on the A10 Fusion’s caching microarchitecture – and discovered it to be vulnerable to a modified PRIME+PROBE attack, allowing for side-channel attacks against the OpenSSL cryptographic software library.
“The results show that we outperform classical techniques, even when they perform at their best and especially when they perform at their worst,” the researchers wrote. “When comparing the worst-case performance for both attacks, we find that we can recover 50 more bits of key material under the configuration with 4096 plaintexts, averaged from 4096 traces each.”
“We haven’t seen evidence of this attack in the wild yet, but we have notified Apple of the vulnerability,” said Aysu. “We also plan to use this suite of tools to explore other types of attacks so that we can assess how secure these devices are and identify things we can do to reduce or eliminate these vulnerabilities moving forward.”
The work extends beyond the discovery of a single specifically exploitable vulnerability, though: the team hopes that the toolkit will offer a way to help security researchers delve deeper into the world of Apple hardware. “Hardware security research on iPhones is notoriously difficult,” the trio concluded in the study.
“This paper proposes the first complete infrastructure to enable general-purpose hardware security experiments on the Apple iPhone SoCs. Our effort greatly lowers the difficulty of implementing future hardware security experiments on Apple’s SoCs.”
Asked what attracted them to iPhone research, Haas told The Reg: “Apple designs their devices as black boxes from the ground up, such that users and developers do not have to (and actually cannot) know about the implementations of various subsystems and modules. There’s been a significant amount of effort put into reverse-engineering Apple’s software, but we felt that, specifically, Apple’s security hardware has been under-researched in the field. Of course, researching hardware requires a significant development investment into infrastructure and thus we created the openc8 toolkit.”
We also asked whether they considered Android or iOS to be more secure. Haas responded: “I think that it’s hard to say which is more secure in a general sense. Apple has the advantage of extremely tight vertical integration in their products, allowing them to build security infrastructures that span the whole stack – from hardware, to iOS, to individual apps.
“Google has made strong efforts into similar security structures (see, for example, the OpenTitan project) which also have the advantage that they’re open-source and auditable by anyone. Both development approaches have their advantages and disadvantages, but both lead to strong overall security stacks.”
The team has released the source code for openc8 and recipes for iTimed Docker images on GitHub under an unspecified open-source licence, while the paper is available on the IACR Cryptology ePrint Archive [PDF] under open-access terms.
Haas said: “We believe that openc8 will be most useful for security researchers who need extremely tight hardware control for their experiments. This includes side channel research (like in our paper), microarchitectural reverse-engineering, and other research for which Apple’s iOS simply does not expose enough control over the hardware.”
Apple, as is usual for the company, did not respond to a request for comment in time for publication.
Security expert Sean Wright said of the research: “Independent verification that a piece of software or a product is living up to its security and privacy promises is definitely a good thing – assuming it’s done for the right reasons.
“Used with good intentions, toolkits like this one, designed specifically to test the hardware security of Apple devices, will result in better security for end-users.
“The iTimed finding is a prime example of this in action.
“The risk, as is almost always the case with these things, is introduced when this technology falls into the wrong hands. This should always be a consideration when it comes to developing such toolkits, especially when they’re open source. Even so, I don’t think this risk should stop researchers from doing this sort of work – I welcome any toolkit that has the potential to protect and improve user privacy and security.” ®