"When Apple's servers go down you lose the ability to do low-level recovery on these machines anyway, since DFU flashing requires phoning home to get a ticket for your machine as well as low-level configuration data"
For comparison, note that you can't do low level recovery at all on e.g. Google Pixel phones. Lose the contents of your storage there and the phone is bricked, as Google does not provide the low level flashing tools and signed images to do that. Apple does, with the phone home caveat.
On x86 PCs, you can usually download a BIOS image, but to flash it you need hardware tools on most computers. So it's better in that you don't need to phone home, and worse in that you need specialized tools to do it. You might also lose serial numbers and other personalization information.
Note: "Factory" images aren't this (and that's a misnomer, they aren't what is used at the factory). Those are OS images. To flash them your bootloader needs to be intact. We're talking about recovering from complete loss of writable storage here - that requires OEM tools to boot low level recovery images from the boot ROM alone. Some of these have leaked, but for very few devices. Apple just gives all of this to you on macOS and we have an open source reimplementation of their DFU tooling (idevicerestore) that you can run on any OS to restore any M1 Mac or iDevice to any (signable) OS version. To this day, all non-beta macOS for M1 releases are signable; I imagine they'll only revoke old ones if a major security flaw is found that impacts device backdoorability or allows SEP compromise or so, and even then you could still install an older OS in reduced security mode, just not as the first OS installed during low level recovery.
Google Pixel phones are phones though, and not personal computer devices like M1 Macs are. Phones have traditionally been more locked down. A fairer comparison would be to Chromebooks, which do have a screw to let you flash a different BIOS.
Chromebooks have a different threat model; they give up once an attacker has physical access. M1s do not; their security model covers the case of preventing an attacker from installing a backdoor on a machine using physical access. That's why Chromebooks have the screw; once you have the machine in front of you, sure, go ahead and install your own firmware. They can afford that in their threat model.
We in security like to throw around that "once the attacker has physical access it's game over", but that isn't true in practice, as evidenced by the success of locked platforms like iPhones. You can be secure against physical access, at least assuming your attacker can't decapsulate your CPU, rewire it with a FIB workstation, and recapsulate it. Apple's security model aims for this, while still allowing the user to install their own OS.
> We in security like to throw around that "once the attacker has physical access it's game over", but that isn't true in practice, as evidenced by the success of locked platforms like iPhones.
People find iPhone jailbreaks all the time. Apple patches them, but if you want a jailbroken iPhone, they exist.
Moreover, the vulnerabilities they keep finding were there before they find them, and the ones they'll find tomorrow are there right now, if you have the resources to look.
And this is distinct from the level of resources (generally considered impractical for anyone) for other forms of computer security, e.g. AES replaced 3DES in 2001 but still to my knowledge nobody -- not even the NSA or other state actors -- has ever even broken 3DES.
If you ask whether a large corporation could break into an iPhone today given physical access, the answer is going to be yes. And without decapsulating your CPU. The physical vulnerabilities often end up being related to USB and things like that.
Remember the whole farce where the FBI wanted to get into some iPhone and "couldn't" because Apple refused to help them? Then they just paid somebody to break into it.
> You can be secure against physical access, at least assuming your attacker can't decapsulate your CPU, rewire it with a FIB workstation, and recapsulate it
Or steal your phone and leave you with an identical looking one that transmits your authentication to the real one as soon as you try to unlock it.
And that's really the physical access problem. If you have a device with full disk encryption and have cleared the keys from memory, the attacker might not be able to get the contents even with physical access. But if they've had physical access and then return the device to you, can you still trust it? Nope.
> People find iPhone jailbreaks all the time. Apple patches them, but if you want a jailbroken iPhone, they exist.
Most of which are tethered, which means they do not persist through reboots. And even if they're untethered, you can recover the platform with a DFU restore.
Those jailbreaks only exist due to flaws in Apple's software, which is completely outside the premise that physical access means game over. If Apple's software were bug free there would be no practical jailbreaks, and physical access has nothing to do with it. Some of those jailbreaks work through remote access, like the ones used by NSO and company.
And again, this is why they have the signing feature when installing an OS - so you can't install an older version vulnerable to a jailbreak and then give the phone to someone.
> The physical vulnerabilities often end up being related to USB and things like that.
Those aren't physical, they're software - checkm8 was a bug in the boot ROM. And this is why iBoot on M1 Macs doesn't support USB host mode to boot from USB disks, because the attack surface there is massive and Apple decided to find another way to allow macOS boots from USB without exposing their more critical bootloader to that.
Nobody jailbreaks iPhones via physical vulnerabilities, but if they tried, Apple have been much more proactive in this area than pretty much everyone else too. They have things like memory encryption and authentication for the SEP memory area, environmental monitors, hardware design that avoids exposing things to software that could have a security impact, etc.
> Remember the whole farce where the FBI wanted to get into some iPhone and "couldn't" because Apple refused to help them? Then they just paid somebody to break into it.
And every new iPhone and every bug fixed, this gets harder. The attack they used for that phone no longer applies to newer ones. It's not just a game of whack-a-mole either; Apple have been at the forefront of attack mitigations and iDevices are some of the most secure consumer devices in existence (the Xbox One might be close).
Doesn't mean they get it perfect; I have an Apple security report open for a bypass for one of their mitigations. But they try harder than pretty much everyone else in the industry.
> Or steal your phone and leave you with an identical looking one that transmits your authentication to the real one as soon as you try to unlock it.
That might work to get your PIN, but if nothing else you'd immediately notice it doesn't work properly or all your data is gone. That sure beats a silent backdoor in your phone.
The screw hasn't been a thing for years, you prove ownership by sitting there for like 15 minutes pressing the power button when told :D
But it's a lot more than just "go ahead".
For stock users: enabling dev mode wipes storage and reinstalls CrOS, so trying to "attack" via dev mode a) won't give the attacker any data and b) will be extremely noticeable because the data is gone (and there will also be dev warning screens all the time unless they then make fully custom FW and CrOS that aren't secure but look exactly like stock)
For custom users: you can lock the debug interface with your password! Plus do your own vboot if you're concerned about.. ehh.. flashing over SPI directly bypassing the debugger (not easy on some devices) or somehow some vulnerability allowing internal flashing from the CPU.
So Chromebooks do have decent measures against physical access and allow for full CPU & EC firmware customization.
Thanks for pointing this out. My Chromebook is from the era when they still had a screw... :-)
Can you recover a modern Chromebook that has had all of its Flash memories tampered with or wiped externally, with just a USB cable? With a debug cable? That seems to be one of the major things that sets apart iDevices from others.
At least this design doc still says local attacks involving e.g. replacing writable storage are out of scope (which they very much aren't for iDevices):
From block diagrams it seems Cr50 security chip in recent Chromebooks just interfaces with AP Flash and the write protect pin, and thus verified boot isn't tied to silicon tamper resistance. That puts Chromebook at around the same level as T2 Macs in terms of tamper-resistance, in fact a bit worse (on T2s the T2 chip is the flash from the AP's point of view, so you can't just tamper with an external flash memory. You could MITM it in principle, though I heard the T2 Mac boards are also designed to make this difficult to pull off with buried traces).
Digging a bit more (the docs on this are really scattered...), it seems Cr50 RW storage can be recovered from the RO loader by using a physical USB-UART cable, but that requires taking apart the machine, since it won't work over USB, only UART. There is no mention of any Boot ROM recovery mechanism or of how the RO firmware is authenticated; RO is supposed to be "Read Only" in on-chip Flash, but eliminating every avenue for compromise of writable Flash is very hard (e.g. glitching the Boot ROM; I've seen too many "secure" microcontrollers compromised to bypass read or write protect in various ways...), so this approach is quite a bit weaker than Apple's: on these devices, you need specialized hardware to go to the lowest level of recovery, and you can't even recover from certain kinds of volatile storage loss or compromise, while on Apple devices any end user with no specialized knowledge can follow a few simple documented steps with another machine and a USB cable and an app in the App Store (or idevicerestore) to fully, securely, and confidently restore all the writable firmware on the machine to factory condition, and the process relies only on truly immutable mask ROM*.
* I can't say for sure there isn't any auxiliary writable flash that would let you brick the machine in some other way, but I haven't found anything yet. The prime suspect, the USB-PD controller chip that's in the path of the DFU USB connection (and thus could break it if it doesn't work), smells like it boots from ROM until the OS instructs it to launch the application image from Flash. It reports being in "DFU" mode until we issue the first power state switch command to bring it up, and we know these chips are custom Apple versions with Apple ROMs and the ROM does contain most of the USB-PD stack... so this sounds like the kind of thing Apple would get TI to do, since they really care about being resistant to bricks and persistent compromise.
(if you have unlocked CCD and didn't lock yourself out of it — you could e.g. forget the password)
you can do whatever you want using flashrom with the SPI flash chips for both AP and EC.
> this design doc
Hmm, there's no timestamp for the page itself but the picture attachments are dated 2009.
> Cr50 RW storage can be recovered from the RO loader by using a physical USB-UART cable
That sentence sounds weird, not sure why it wouldn't be recoverable via the SBU cable — the RO firmware is just an earlier build of the same firmware that does offer the GSC/Cr50 UART among its consoles via SBU.
"RO public key in ROM, RW public key in RO" so they thought of that, the root of the root of everything is truly immutable silicon.
> e.g. glitching the Boot ROM
There are likely measures against this, since this is a "secure chip" designed in modern days by Google rather than some shitty vendor.
But either way, attaching probes for voltage-glitching the root of trust is far beyond the capabilities of the proverbial "evil maid" :)
And the glitching question should apply to Apple and whoever else as well.
> any end user with no specialized knowledge can follow a few simple documented steps with another machine and a USB cable and an app in the App Store (or idevicerestore) to fully, securely, and confidently restore all the writable firmware
What Google does for the "normal people" AP flash recovery: only the RW CBFS partition is writable from the AP, and for recovery it boots from an RO partition: https://doc.coreboot.org/security/vboot/index.html#recovery-... (there's a theme to everything the CrOS team does haha… surprise, the EC also uses the RO+RW mechanism)
Yes, this doesn't protect against the "I'm a normal regular user with no debug access and someone desoldered my SPI flash, tampered with it and soldered it back" but… come on :) Especially considering hard-to-open laptop cases and WSON-8 flash chips, that's just a ridiculous scenario to care about.
Tell that to all the governments who keep trying to get Apple to break into their own devices... It's not ridiculous at all, the NSA does this all the time (supply chain intervention). And WSON-8 really isn't that hard to swap, a hot air rework station will do it in a couple minutes. I've done much worse than that ;)
Good to hear the RO partition is also authenticated, though. My mention of glitching was mostly around whether there was trust placed in Flash at any point, since then a one time glitching attack could compromise the machine. You could still brick it by screwing up RO, but at least not compromise it. And again, those attacks aren't nearly as hard as you think. People have productionized these things for console modchips; that's at the level where someone with a cheap soldering iron can do it.
As for chip design, I'm sure Google did a better job than most random vendors (they all keep making the same mistakes...), but Apple has been doing chip security for much longer so they also have had quite a lot of time to build up experience in this area. I would trust Apple's chips over Google's (at least design quality wise), and I say this as a xoogler ;)
Actually, I think I can come up with an apt comparison. Google has crazy good production system security, probably better than anyone else; they've just been doing it for long enough, have been targeted by governments (China incident, NSA wiretaps), and have the motivation to just keep pushing things forward. Apple is on a very similar level with system/silicon security, in part for similar reasons. They're both just in their own league in those categories.
No, it's just Flash so it's a point of persistency. If you rely on on-chip flash integrity for security, a one-time glitch can compromise the system forever. If you rely on it for availability, then a random glitch (or even just cell decay) can brick your system forever.
The screw meme just doesn't die… Modern Chromebooks use a debug USB-C cable for flashing and serial console access, and a "sit around for like 15 minutes pressing power button when told" process to prove ownership to unlock dev mode.
Thanks for that information. I am not very involved in chromebook development, so I didn't know that. Do you have a link to documentation that outlines the current steps?
> On x86 PCs, you can usually download a BIOS image, but to flash it you need hardware tools on most computers.
Even then, it isn't always obvious how to write that image to flash. Sometimes you get lucky and the downloadable BIOS is a full image of the serial flash chip, but sometimes it's a delta update, or the flash chip contains other data (like configuration) which isn't part of the public image.
And even then, there's a ton of other updatable firmware in a typical PC that isn't part of a BIOS update -- most video adapters and network devices will have at least a small flash chip on board, which may not be repairable at all if it's damaged.
GPUs are often the easiest to recover actually – boot with another GPU, keeping the screwed-up one plugged in – it will still be flashable, just run atiflash or whatever.
Also, high end "gamer" hardware often includes "dual BIOS" (on both mainboards and graphics cards) and/or "BIOS flashback" (special button makes a microcontroller flash an image from a USB stick inserted into a marked port, even without a CPU present).
Yup. On M1s Apple tries to make all external chips either use runtime loaded firmware or be bootloadable, both for security and recoverability reasons. I don't know if it's possible to truly brick an M1, but if it is you have to try really hard.
Unless, of course, you need to perform a low level recovery when Apples servers are unavailable, for whatever reason. Then, it seems that it would be quite the problem.
https://news.ycombinator.com/item?id=29704923