Team Pangu shows an unpatchable SEP flaw. Apple iOS 14 security in big trouble

Xu Hao, information security awareness researcher from Team Pangu, has revealed the finding of an “uncorrectable” vulnerability on the Secure Enclave Processor (SEP) chip. The flaw, identified as “Attack Secure Boot”, was presented at the MOSEC 2020 conference, held in Shanghai, China.

It should be remembered that SEP is a standalone coprocessor that provides an extra layer of security to Apple devices. This chip is capable of storing sensitive user information, such as Apple Pay data, passwords, among others.

It is very likely that the Chinese hacker team will try to sell this finding to Apple in exchange for a great reward. Team Pangu revealed some details about the discovered error: “This is not a vulnerability in sePROM itself. Rather, it is an error in the memory controller that manipulates the TZ0” log memory. According to information security experts, TZ0 refers to a record that controls the range of PMI memory usage.

Such vulnerability in SEP can have huge security implications, experts mention. For example, you could allow malicious jailbreak settings to access and read sensitive user data stored on the vulnerable chip.

On the other hand, it’s not all bad news as information security specialists initially believed, mainly for two reasons:

  • Vulnerability only affects devices that support checkm8 or checkra1N
  • In addition, A12/A13 system-on-chip devices do not have a BOOTROM exploit. Without a BOOTROM exploit, it is impossible to know if this error exists on those devices, seriously limiting the range of a potential attack

Security researcher axi0mX considers that this vulnerability cannot be used to jailbreak via web browser (JailbreakMe) or with an application (unc0ver), because the value in the TZ0 registry cannot be changed after boot.

It is worth mentioning that the failure is based on physical access to the device, another factor that limits the scope of the attack. On the other hand, Apple uses several hardware- and software-based mitigation strategies, reducing the impact of a potential attack. To trigger this vulnerability, a threat actor requires, in addition to physical access to the device, a bootROM exploit of the checkm8 style.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.