Team Pangu has demonstrated an unpatchable SEP vulnerability at MOSEC 2020. Here’s all you need to know about it.
Table of Contents
Team Pangu discovers an unpatchable SEP bug
Xu Hao of Team Pangu presented his talk – Attack Secure Boot of SEP – at MOSEC 2020 in Shanghai, China. Team Pangu is the first hacking team to disclose an “unpatchable” vulnerability in the SEP chip.
For the uninitiated, SEP (Secure Enclave Processor) is an independent coprocessor that provides an extra layer of security to Apple devices. It stores sensitive user information such as Apple Pay data, keychain passwords, etc.
It’s highly likely that the Chinese hacking team will sell this bug to Apple for a huge bounty.
However, Team Pangu did make public some key details regarding this bug on MOSEC’s Weibo account:
One of the topics at the finale of today’s meeting is the security research on iOS SEP chips brought by @windknown from the Pangu team. It is also the world’s first topic to disclose security vulnerabilities in iOS SEP chips. For a long time, in order to ensure the security of mobile phone encryption capabilities, Apple has put many key encryption/decryption and secure storage functions in an independent coprocessor (SEP).
Like BOOTROM, SEP chip also has independent SPPROM for loading SEPOS and APP running on SEPOS. However, due to the particularity of ROM, ROM is a system built into the chip and is read-only. So, the corresponding vulnerabilities cannot be upgraded and patched by Apple through software updates. Therefore, we also call these vulnerabilities as hardware vulnerabilities.
Windknown first introduces the architecture of Apple’s SEP hardware and system. The main processor and the co-processor are isolated and need to communicate through a shared memory mechanism. Subsequently, it explained in detail the process of SEPROM initialization, including the realization of the memory isolation mechanism. The memory isolation mechanism is implemented by the TZO mechanism.
The TZ0 register describes the range of SEP memory usage, and AMCC is used to prohibit the main processor from accessing the memory space of TZO. The epic vulnerability announced this time is in SEPROM. By combining the BOOTROM exploit of checkm8, the IO mapping register can be modified to bypass the memory isolation protection. Then cooperate with the race of the main processor to achieve the purpose of modifying any SEPOS and SEP APP. For example, through the restriction of password input in patch sks, to try to lock the screen password without restriction.
So, it is not a vulnerability in the SEPROM per se. Rather, it’s a bug in the memory controller that manipulates the TZ0 register memory. TZ0 refers to a register that controls the range of SEP memory usage.
Security Implications of Pangu’s SEP vulnerability
An “unpatchable” SEP vulnerability or bug can have huge implications from a security standpoint. For instance, it could allow malicious jailbreak tweaks to access and read sensitive user data stored in the SEP.
But, fortunately, it’s not as bad as we initially thought it would be. There are two reasons for that:
- First, it only affects devices that are compatible with checkm8 or checkra1n.
- Secondly, devices with A12/A13 system-on-chip do not have a BOOTROM exploit. Without a BOOTROM exploit, it’s impossible to know whether this bug exists on those devices.
According to security researcher axi0mX, this vulnerability cannot be used by browser-based (JailbreakMe) or app-based jailbreaks (unc0ver), because the value in the TZ0 register cannot be changed after booting.
Security implications of this SEPROM vulnerability are not as bad as you might think:
(1) Browser-based (nation states) or app-based (community) jailbreaks cannot use it, because the value in TZ0 register is locked and cannot be changed after boot.
— ax🔥🌸mX (@axi0mX) July 25, 2020
This bug relies on physical access to the device. So, unless someone gets his/her hands on your device and puts it in DFU mode, you are safe.
Further, Apple uses various hardware and software-based mitigation strategies to reduce vulnerability impacts. To trigger this SEP vulnerability, the attacker requires, in addition to physical possession of the device, a BOOTROM exploit like checkm8.