Xu Hao, information security awareness researcher from Team Pangu, has revealed the finding of an “uncorrectable” vulnerability on the Secure Enclave Processor (SEP) chip. The flaw, identified as “Attack Secure Boot”, was presented at the MOSEC 2020 conference, held in Shanghai, China.
It should be remembered that SEP is a standalone coprocessor that provides an extra layer of security to Apple devices. This chip is capable of storing sensitive user information, such as Apple Pay data, passwords, among others.
It is very likely that the Chinese hacker team will try to sell this finding to Apple in exchange for a great reward. Team Pangu revealed some details about the discovered error: “This is not a vulnerability in sePROM itself. Rather, it is an error in the memory controller that manipulates the TZ0” log memory. According to information security experts, TZ0 refers to a record that controls the range of PMI memory usage.
Such vulnerability in SEP can have huge security implications, experts mention. For example, you could allow malicious jailbreak settings to access and read sensitive user data stored on the vulnerable chip.
On the other hand, it’s not all bad news as information security specialists initially believed, mainly for two reasons:
- Vulnerability only affects devices that support checkm8 or checkra1N
- In addition, A12/A13 system-on-chip devices do not have a BOOTROM exploit. Without a BOOTROM exploit, it is impossible to know if this error exists on those devices, seriously limiting the range of a potential attack
Security researcher axi0mX considers that this vulnerability cannot be used to jailbreak via web browser (JailbreakMe) or with an application (unc0ver), because the value in the TZ0 registry cannot be changed after boot.
It is worth mentioning that the failure is based on physical access to the device, another factor that limits the scope of the attack. On the other hand, Apple uses several hardware- and software-based mitigation strategies, reducing the impact of a potential attack. To trigger this vulnerability, a threat actor requires, in addition to physical access to the device, a bootROM exploit of the checkm8 style.
For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.