A tool for testing the hardware security of Apple mobile processors has been developed

A team of researchers from North Carolina State University created a tool to study vulnerabilities in Apple mobile processors and used the results to test a CPU cache fetch attack.

Using an exploit known as checkm8 as a starting point, the researchers implemented a BootROM tool to test the Apple A10 Fusion-on-a-chip (SoC) system, and then developed a new CPU cache pull attack based on the Prime + Probe method.

The checkm8 exploit works on most iPhone models (from iPhone 5 to iPhone X), but researchers focused on the iPhone 7, which was Apple's most ubiquitous mobile device on the market in 2019 when the study began.

The new tool, dubbed openc8, has new extensions to ensure its reliability for extensive hardware safety research. The open source tool includes downloading a handler shell to a device that supports installing and executing the payloads.

Openc8 includes build and boot support on pongoOS (the open source version of the checkra1n toolkit), which introduces updated drivers for iPhone hardware. Scientists also used the Sandcastle project for their research, as it supports pongoOS modules and a patched Linux kernel that can be loaded on the iPhone 7.

The developed attack, dubbed iTimed, involves the synchronous launch of AES encryption using known plaintexts. It is also assumed that the attacker and the victim are in the same core, and the virtual address of the t-tables is known. According to the researchers, the new attack method could easily outperform classical methods when it comes to recovering key material, as only half of the typical amount of side-channel traces is required.

Scientists told Apple about their findings in July last year. The iTimed toolkit is available on GitHub.

Previous Post Next Post