
The release of the iPhone 15 was a turning point for Apple. The company abandoned its proprietary Lightning ports and switched to the universal USB-C standard. However, not everything is so simple: along with this, Apple introduced a new ACE3 controller, developed in collaboration with Texas Instruments. This chip became the heart of USB-C management and performs not only basic functions such as power or data transfer. ACE3 is a powerful microprocessor that works with the full USB stack and is connected to the internal buses of the device. But even such a complex technology turned out to be vulnerable.
ACE3 is a significant breakthrough in Apple’s technology. The company’s previous USB-C controllers, such as the ACE2, had basic features and were also known to have vulnerabilities. ACE3 is a completely different level:
It supports the full USB stack, allowing devices to operate in DFU (USB Firmware Update) mode.
The chip is responsible for integrating the iPhone’s internal buses, such as SPMI, which connect the processors and auxiliary components.
It allows interaction with the JTAG port for debugging the main processor, which is usually critical for the work of developers and… hackers.
These features make ACE3 not only a technical breakthrough, but also an interesting target for security researchers.
The ACE2 controller has also been used in Apple devices. Researchers have previously demonstrated how it can be bypassed by exploiting a vulnerability in the firmware. Thomas Roth, the author of the discovery, used a combination of firmware analysis and hardware attacks to create a backdoor in the system even after a complete reset of the device.
For example, on older MacBooks, the attack was possible due to flaws in the integration of the chip and the macOS kernel. This allowed for deep-level modifications to the system, embedding dangerous changes. But ACE3 has received significant improvements.
ACE3 has received a whole arsenal of new protection measures, including:
Individual firmware updates for each device, which greatly complicates the creation of universal attacks.
Disabling standard debugging ports such as JTAG.
Introducing cryptographic protection of external flash memory, which contains only small patches to the main firmware.
These measures made the researchers’ work more difficult, but they didn’t make the chip completely secure. Thomas Roth found a way to get around even these obstacles.
Faced with blocked software paths, the researcher resorted to hardware attacks. These are complex methods that require specialized equipment and access to the device itself. Here’s how he did it:
Electromagnetic analysis. Using special tools, the researcher measured the radio signals emitted by the chip during operation. This allowed him to identify weak points at the moment the controller was started.
Error injection. Using strong electromagnetic fields, Roth was able to disrupt the chip at the critical moment. This allowed him to bypass the cryptographic check and load the modified patches.
Firmware dump. Having gained access to the internal data, he was able to create a complete copy of the ACE3 firmware for detailed analysis.
The work was painstaking: it was necessary to fine-tune the equipment, experiment with injection parameters, and analyze each stage.
While such attacks are difficult to implement without professional equipment and knowledge, they demonstrate possible scenarios for attackers. Theoretically, modifying the ACE3 controller could allow a backdoor to be inserted into Apple devices, which would open up access to their operating system. This could allow devices to be hacked or bypassed to install jailbreaks.
Thomas Roth’s work highlights the importance of security research. The ACE3 hack is not only a challenge for Apple, but also a lesson for other electronics manufacturers. Stories like these show that even the most advanced technologies need constant improvement.
For ordinary users, this means paying attention to security updates from manufacturers. Apple will likely learn from this and add new layers of protection in future generations of controllers.
This story is an example of how security researchers help improve technology by finding and fixing vulnerabilities.