Talk Title:

Using a magic wand to break the iPhone's last security barrier

Abstract:

In this talk i will present my work on attacking the iPhone's hardware AES crypto core through an EM-sidechannel in order to retrieve the hardware fused GID and UID keys. The GID key is used to decrypt firmware updates. By extracting it, you can decrypt past and future firmwares without using a physical device as oracle.The UID key is used for user data encryption. By extracting it, you can offline bruteforce the iPhone PIN code (which protects the data) using a GPU cluster. For example you can break an 8 digit numeric PIN in just 27 minutes using a single GPU, compared to 92 days it would take to crack it on device. This scales linearly with the number of GPUs you use.

Speaker Bio:

I am tihmstar and my hobby is to hack iOS devices.

I worked on jailbreaking iOS devices including iPhone, iPad, iPod, Apple Watch and Apple TV covering a wide range of devices from old ones like iPhone4s up to the most recent ones including iPhone12pro.

Software wise this covers a range of iOS 8 up to iOS 14 doing remote (webkit) exploits, local kernel exploits, persistence exploits and even some work on bootchain.

Some of the jailbreaks i worked on are: PhoneixJB, EtasonJB, JailbreakMe 4.0, H3lix, DoubleH3lix, JelbrekTime, EtasonATV, Odyssey, Taurine...

While creating several iOS hacking related open source tools along the way (github.com/tihmstar)

I did a few talks in the past, here are some of them:

• Downgrading iOS: From past to present (33c3): https://www.youtube.com/watch?v=rZ_mike3Lss
• Jailbreaking iOS: From past to present(35c3): https://www.youtube.com/watch?v=t01tbbjJHbs
• XNU heap exploitation: From kernel bug to kernel control (nullcon Goa 2020): https://www.youtube.com/watch?v=LAE_KStI31M
• Jailbreking the AppleTV 3 (nullcon Berlin 2022): https://www.youtube.com/watch?v=Mvm1yLbx_bM