Apple Devices SecureROM Vulnerability Allowing Arbitrary Code Execution

A vulnerability exists in the SecureROM of certain Apple devices, specifically those with processing chips A5 through A11, which includes iPhone models 4S to X, as well as some iPad, Apple Watch, iPod Touch, and Apple TV models. This vulnerability allows an unauthenticated local attacker to execute arbitrary code during the boot process by exploiting a use-after-free issue. The exploitation requires physical access to the device, which must be connected to a computer, in Device Firmware Update (DFU) mode. The exploit is not persistent, as rebooting the device restores its original software state. Furthermore, without the device's unlock PIN or fingerprint, access to information protected by Apple's Secure Enclave or Touch ID is not possible.

Impact

Successful exploitation enables arbitrary code execution on the device. However, the exploit does not persist after a reboot, and access to certain protected information requires the device's unlock PIN or fingerprint.

Reproduction

To reproduce this vulnerability, connect a vulnerable Apple device to a computer and put it into Device Firmware Update (DFU) mode. Once the device is in DFU mode, the checkm8 exploit can be applied, allowing arbitrary code execution on the device.

Remediation

There is no practical solution available, as the vulnerability resides in the read-only Boot ROM, which cannot be patched. The only guaranteed way to avoid this vulnerability is to replace the device with one that has a non-vulnerable processing chip.