Pangu Team teases unpatchable SEP vulnerability at Mosec 2020

It was a pleasant surprise waking up this morning to learn that the Pangu Team had successfully pwned iOS 14 using their own proprietary exploits and demoed it at the Mosec 2020 conference. Although this jailbreak in particular isn’t likely to be released, it shows that there’s a light at the end of the tunnel despite Apple’s ongoing efforts to snuff out jailbreaking once and for all.

But an iOS 14 jailbreak wasn’t the only thing that the Pangu Team shared during their presentation. Team member @windknown also discussed details encompassing security research with Apple’s proprietary SEP (Secure Enclave Processor) chips, which are used for storing valuable data including Face ID & Touch ID information and passcode data, among other things of utmost confidentiality.

From what we can gather, non-patchable hardware vulnerabilities in SEPROM have been discovered. This was confirmed by SEP expert @matteyeux on Twitter this morning:

SEPROM is comparable to bootrom in the sense that it loads the operating system into the platform. In this case, it loads SEPOS and other processes through the Secure Enclave Processor. Apple designed this system to be isolated from iOS and the device’s primary processor for maximum security, and that’s part of what makes this unveiling so special.

With this vulnerability, the security researchers are able to interface directly with SEP memory and therefore harness its full potential for whatever purposes they set their minds to, such as bypassing the memory isolation protection. Another possible use is enabling firmware downgrades without the worry of SEP compatibility.

As you might come to expect, such a vulnerability in the wrong hands could also wreak quite a bit of havoc, especially since this part of the system deals directly with on-device security.

Much like the iOS 14 jailbreak demoed at Mosec 2020, it’s unlikely that this work will be released to the general public for any sort of utilization in the jailbreak community. That aside, it’s a particularly impressive feat. It’s worth noting that the vulnerability only works on older devices, such as those impacted by the checkm8 bootrom exploit, and so newer handsets like the iPhone XS and later aren’t vulnerable.

Are you impressed by the Pangu Team’s news? Discuss in the comments section below.