Overview
Explore a technical conference talk from the 38th Chaos Communication Congress that delves into hacking Apple's new USB-C controller, the ACE3. Learn about the progression from the ACE2 controller to the more sophisticated ACE3, examining how researchers combined hardware vulnerability exploitation, reverse engineering, RF side-channel analysis, and electromagnetic fault-injection techniques to achieve code execution on this custom chip. Discover the challenges faced when approaching an undocumented custom chip with internal ROM firmware, including the process of bypassing cryptographic validation, determining precise timing for security checks, and implementing successful fault injection attacks. Follow the investigation of the ACE3's expanded capabilities beyond basic USB power delivery, including its role in JTAG access, internal SPMI bus control, and potential for persistent firmware implants. Gain insights into the security implications of USB-C controllers in Apple devices and the methodologies used to research these under-explored but security-critical components.
Syllabus
38C3 - ACE up the sleeve: Hacking into Apple's new USB-C Controller
Taught by
media.ccc.de