A new unpatchable flaw in Apple chips opens the door to an iPhone jailbreak

A new unpatchable flaw in Apple chips opens the door to an iPhone jailbreak

European offensive cybersecurity company Paradigm Shift released details of a flaw and a technique to exploit it that opens the door for hackers to unlock and break into older iPhones.

A company that sells spyware and hacking tools to government agencies has published details of a vulnerability in Apple chips that can potentially help hackers unlock older iPhones. This release opens the door for other researchers who specialize in finding iOS vulnerabilities, such as those working for governments or their contractors, to develop effective hacks for iPhones, provided they can find additional vulnerabilities to chain together with this one.

This could help security researchers develop a so-called iPhone jailbreak, a technique to hack into Apple’s mobile operating system and remove all the restrictions the company puts on it. The release is also a reminder that while Apple has made iPhones extremely hard to hack, there are and will always be vulnerabilities that sophisticated hackers can take advantage of to break in.

On Friday, Paradigm Shift, an offensive cybersecurity company based in Barcelona, published a blog post about the vulnerability, which it dubbed “usbliter8.” The company also published a proof of concept that shows how to exploit the vulnerability, which requires physical access to the target phone.

Affected devices

The flaw and related exploit affect iPhones that have Apple-made chips A12 and A13, which were released in 2018 and 2019, and are included in older iPhones such as the XS, XR and up to the iPhone 11.

Technical details

The release of usbliter8 is significant in the world of security research and spyware and hacking tools’ makers, but it does not mean that older iPhones are easily hackable by anyone. The bug found by Paradigm Shift affects the iPhone’s Boot ROM, which is the first piece of code that runs when an iPhone is turned on and, consequently, its first line of defense against hackers.

To hack an iPhone with physical access to it - meaning having the ability to connect a cable to it - hackers need to first exploit the Boot ROM. Now, they can do that thanks to usbliter8, which allows them to potentially defeat and bypass further security checks.

Unpatchable nature

Paradigm Shift wrote in its blog that “as these vulnerabilities reside in immutable code, affected users should be aware that migrating to newer hardware remains the most effective mitigation.” In other words, given that the Boot ROM is burned into the chip, it can’t be changed and flaws in it cannot be patched.

Implications

Generally speaking, companies that sell systems to hack iPhones seized by authorities, such as Cellebrite and Magnet Forensics, need, and likely already have at their disposal, techniques similar to usbliter8 to break into iPhones. However, hackers still need to incorporate other techniques to access the user data stored in the phone.

Public iPhone jailbreaks were relatively widespread in the past, but they have become rarer in the last decade. Jailbreaking an iPhone is often the first step to research other vulnerabilities on the system. Researchers - intent on finding valuable iPhone flaws and ways to exploit them - have few incentives to release that information publicly, because that would lead to Apple fixing the flaws and setting the researchers back.

Paradigm Shift did not respond to a series of questions related to usbliter8.