Apple’s USB-C ACE3 controller hack, what it means for users

20 January 2025 4 minutes Author: Lady Liberty
You will learn how security researcher Thomas Roth cracked Apple’s new USB-C ACE3 controller, which is used in the iPhone 15 and Mac. The article describes the technical features of the controller, methods for protecting it, and how these measures were circumvented using hardware attacks.

How researchers hacked Apple’s USB-C ACE3 controller and why it matters

The release of the iPhone 15 was a turning point for Apple. The company abandoned its proprietary Lightning ports and switched to the universal USB-C standard. However, not everything is so simple: along with this, Apple introduced a new ACE3 controller, developed in collaboration with Texas Instruments. This chip became the heart of USB-C management and performs not only basic functions such as power or data transfer. ACE3 is a powerful microprocessor that works with the full USB stack and is connected to the internal buses of the device. But even such a complex technology turned out to be vulnerable.

What is the ACE3 controller and why is it unique?

ACE3 is a significant breakthrough in Apple’s technology. The company’s previous USB-C controllers, such as the ACE2, had basic features and were also known to have vulnerabilities. ACE3 is a completely different level:

  • It supports the full USB stack, allowing devices to operate in DFU (USB Firmware Update) mode.

  • The chip is responsible for integrating the iPhone’s internal buses, such as SPMI, which connect the processors and auxiliary components.

  • It allows interaction with the JTAG port for debugging the main processor, which is usually critical for the work of developers and… hackers.

These features make ACE3 not only a technical breakthrough, but also an interesting target for security researchers.

How we worked with the ACE3’s predecessor, the ACE2 controller

The ACE2 controller has also been used in Apple devices. Researchers have previously demonstrated how it can be bypassed by exploiting a vulnerability in the firmware. Thomas Roth, the author of the discovery, used a combination of firmware analysis and hardware attacks to create a backdoor in the system even after a complete reset of the device.

For example, on older MacBooks, the attack was possible due to flaws in the integration of the chip and the macOS kernel. This allowed for deep-level modifications to the system, embedding dangerous changes. But ACE3 has received significant improvements.

How Apple strengthened security in ACE3

ACE3 has received a whole arsenal of new protection measures, including:

  • Individual firmware updates for each device, which greatly complicates the creation of universal attacks.

  • Disabling standard debugging ports such as JTAG.

  • Introducing cryptographic protection of external flash memory, which contains only small patches to the main firmware.

These measures made the researchers’ work more difficult, but they didn’t make the chip completely secure. Thomas Roth found a way to get around even these obstacles.

Hardware attacks and reverse engineering

Faced with blocked software paths, the researcher resorted to hardware attacks. These are complex methods that require specialized equipment and access to the device itself. Here’s how he did it:

  • Electromagnetic analysis. Using special tools, the researcher measured the radio signals emitted by the chip during operation. This allowed him to identify weak points at the moment the controller was started.

  • Error injection. Using strong electromagnetic fields, Roth was able to disrupt the chip at the critical moment. This allowed him to bypass the cryptographic check and load the modified patches.

  • Firmware dump. Having gained access to the internal data, he was able to create a complete copy of the ACE3 firmware for detailed analysis.

The work was painstaking: it was necessary to fine-tune the equipment, experiment with injection parameters, and analyze each stage.

Why is this important for users?

While such attacks are difficult to implement without professional equipment and knowledge, they demonstrate possible scenarios for attackers. Theoretically, modifying the ACE3 controller could allow a backdoor to be inserted into Apple devices, which would open up access to their operating system. This could allow devices to be hacked or bypassed to install jailbreaks.

What’s next?

Thomas Roth’s work highlights the importance of security research. The ACE3 hack is not only a challenge for Apple, but also a lesson for other electronics manufacturers. Stories like these show that even the most advanced technologies need constant improvement.

For ordinary users, this means paying attention to security updates from manufacturers. Apple will likely learn from this and add new layers of protection in future generations of controllers.

This story is an example of how security researchers help improve technology by finding and fixing vulnerabilities.

Other related articles
News
Read more
Apple to pay 95 million $ for Siri privacy breach
Apple to Pay $95 Million for Siri Privacy Breach: What You Need to Know Apple has agreed to pay $95 million in a class action lawsuit over Siri's inadvertent eavesdropping. Owners of Siri devices in the US can claim up to $20 per device.
86
Found an error?
If you find an error, take a screenshot and send it to the bot.