So, I’m a 100% percent sure nobody will be able to unlock the iPhone or run third-party applications on it unless Apple opens it up. Here’s why: ARM’s TrustZone. Ehrm, make that 90%. I mean, it’s still quite unlikely. Well, OK, they can hack the serial interface in the connector but that can’t write to the screen. Well, let’s say 50-50. Of course, they can run stuff but not touch the network interface – OK, it seems they can. But never run a GUI app! Oh, they can now? But aren’t the binaries signed? No. Heh…
That’s about how I felt while writing an article for MAC+ (the upcoming print issue, which went to the printer a few days ago, around the “but never run a GUI app” phase. Well, today I see they (“they” don’t want people to link to their Wiki, but it’s easy to find on Google) succeeded in building a standard GUI app and display a screen on the iPhone. Must be Clarke’s Law in action – even though I’m not that elderly, hmpfh. Writing about moving targets is hard.
So what’s left? Of course I don’t have an iPhone myself here and I don’t have any privileged info on its architecture. I did hear over the grapevine that the Apple iPhone is following these issues with great interest and is working on updates – whether they’ll make a point of plugging these hacks is anybody’s guess. At the time I’m typing this, accessing the cellphone radio and unlocking the SIM card mechanism is still not possible.
Does that mean Apple didn’t bother to implement the TrustZone technology? I still maintain it’s impossible to crack from outside using present technology. The firmware is contained on the CPU chip itself, the implementor can restrict access to certain peripherals, decryption can happen entirely within the trusted zone, and the firmware can elect to run only signed binaries. There are some 1024-bit RSA keys in the iPhone which supposedly are still a few years away from being cracked, and in any event could be switched to 2048 or 4096. The barrier is even stronger than it was on the first Intel Macs, which had a TPM chip onboard (the last versions don’t and it seems Apple never used them) but separate from the CPU.
It’s hard to believe Apple didn’t want to take advantage of TrustZone at all, unless the intention was to publish a complete SDK later. Or perhaps only parts of the hardware are protected; the radio and the camera are possibilities. For sure they didn’t implement the usual Unix protection, where the root account can do everything; all processes on the iPhone run as root anyway. Looking at the current iPhone libraries there’s a “lockdown” library which most applications link against. It seems to check the aforementioned keys and confer privileges to access some likely-sounding sectors of the system. Having a non-standard security system is obviously an attempt to throw off people who expect 99% of the cracking to involve getting root privileges. I don’t have the tools to ascertain whether the lockdown library does in fact invoke TrustZone at a lower level, and much of this may change anyway for the next software update.
Speaking of which, from what we can see of the iPhone software the update process will involve a complete replacement – no partial updates here. My guess is that updating will also be mandatory, with iTunes updates being published simultaneously. Replacing all software at once of course makes sure that everything works together, but it would also allow Apple to change everything at once. We’ll know in a few months, I’d say.