A new unpatchable flaw in Apple chips opens the door to an iPhone jailbreak
A new unpatchable flaw in Apple chips opens the door to an iPhone jailbreak
苹果芯片出现新的不可修复漏洞,为 iPhone 越狱打开了大门
A company that sells spyware and hacking tools to government agencies has published details of a vulnerability in Apple chips that can potentially help hackers unlock older iPhones. This release opens the door for other researchers who specialize in finding iOS vulnerabilities, such as those working for governments or their contractors, to develop effective hacks for iPhones, provided they can find additional vulnerabilities to chain together with this one. This could help security researchers develop a so-called iPhone jailbreak, a technique to hack into Apple’s mobile operating system and remove all the restrictions the company puts on it. The release is also a reminder that while Apple has made iPhones extremely hard to hack, there are and will always be vulnerabilities that sophisticated hackers can take advantage of to break in.
一家向政府机构出售间谍软件和黑客工具的公司发布了苹果芯片中一个漏洞的详细信息,该漏洞可能有助于黑客解锁旧款 iPhone。此次发布为其他专门寻找 iOS 漏洞的研究人员(例如为政府或其承包商工作的人员)打开了大门,只要他们能找到额外的漏洞并将其与此漏洞串联起来,就能开发出有效的 iPhone 入侵手段。这可能有助于安全研究人员开发所谓的“iPhone 越狱”,即一种入侵苹果移动操作系统并移除该公司所设所有限制的技术。此次发布也提醒人们,尽管苹果已使 iPhone 变得极难被黑,但漏洞始终存在,且复杂的黑客总能利用这些漏洞进行入侵。
On Friday, Paradigm Shift, an offensive cybersecurity company based in Barcelona, published a blog post about the vulnerability, which it dubbed “usbliter8.” The company also published a proof of concept that shows how to exploit the vulnerability, which requires physical access to the target phone. The flaw and related exploit affect iPhones that have Apple-made chips A12 and A13, which were released in 2018 and 2019, and are included in older iPhones such as the XS, XR and up to the iPhone 11.
上周五,总部位于巴塞罗那的进攻性网络安全公司 Paradigm Shift 发布了一篇关于该漏洞的博文,并将其命名为“usbliter8”。该公司还发布了一个概念验证,展示了如何利用该漏洞,前提是需要物理接触目标手机。该缺陷及相关利用方式影响了搭载苹果 A12 和 A13 芯片的 iPhone,这些芯片于 2018 年和 2019 年发布,涵盖了 iPhone XS、XR 以及 iPhone 11 等旧款机型。
The release of usbliter8 is significant in the world of security research and spyware and hacking tools’ makers, but it does not mean that older iPhones are easily hackable by anyone. The bug found by Paradigm Shift affects the iPhone’s Boot ROM, which is the first piece of code that runs when an iPhone is turned on and, consequently, its first line of defense against hackers. To hack an iPhone with physical access to it — meaning having the ability to connect a cable to it — hackers need to first exploit the Boot ROM. Now, they can do that thanks to usbliter8, which allows them to potentially defeat and bypass further security checks.
usbliter8 的发布在安全研究领域以及间谍软件和黑客工具制造商中意义重大,但这并不意味着任何人都能轻易入侵旧款 iPhone。Paradigm Shift 发现的这个漏洞影响了 iPhone 的 Boot ROM(引导只读存储器),这是 iPhone 开机时运行的第一段代码,因此也是其抵御黑客的第一道防线。要在物理接触的情况下入侵 iPhone(即能够通过线缆连接手机),黑客首先需要利用 Boot ROM。现在,得益于 usbliter8,他们可以做到这一点,从而有可能击败并绕过后续的安全检查。
Paradigm Shift wrote in its blog that “as these vulnerabilities reside in immutable code, affected users should be aware that migrating to newer hardware remains the most effective mitigation.” In other words, given that the Boot ROM is burned into the chip, it can’t be changed and flaws in it cannot be patched. Generally speaking, companies that sell systems to hack iPhones seized by authorities, such as Cellebrite and Magnet Forensics need, and likely already have at their disposal, techniques similar to usbliter8 to break into iPhones. However, hackers still need to incorporate other techniques to access the user data stored in the phone.
Paradigm Shift 在其博客中写道:“由于这些漏洞存在于不可变代码中,受影响的用户应意识到,迁移到更新的硬件仍然是最有效的缓解措施。”换句话说,鉴于 Boot ROM 是烧录在芯片中的,它无法被更改,其中的缺陷也无法通过补丁修复。总的来说,像 Cellebrite 和 Magnet Forensics 这样向当局出售 iPhone 入侵系统的公司,需要且很可能已经掌握了类似于 usbliter8 的技术来破解 iPhone。然而,黑客仍需结合其他技术才能访问存储在手机中的用户数据。
Public iPhone jailbreaks were relatively widespread in the past, but they have become rarer in the last decade. Jailbreaking an iPhone is often the first step to research other vulnerabilities on the system. Researchers — intent on finding valuable iPhone flaws and ways to exploit them — have few incentives to release that information publicly, because that would lead to Apple fixing the flaws and setting the researchers back. Paradigm Shift did not respond to a series of questions related to usbliter8.
过去,公开的 iPhone 越狱相对普遍,但在过去十年中已变得越来越少见。越狱 iPhone 通常是研究系统其他漏洞的第一步。那些致力于寻找有价值的 iPhone 缺陷并探索利用方式的研究人员,几乎没有动力公开这些信息,因为这会导致苹果修复这些漏洞,从而阻碍研究人员的进展。Paradigm Shift 未回应有关 usbliter8 的一系列问题。