> The software and hardware stack does itself need to be secure of course, but Apple has got pretty good at that.

lol

Thanks for the detailed explanation.

> The software and hardware stack does itself need to be secure of course

Oh this is what I'm missing. It's a huge assumption that I wish that can be true!

Is it not true? Not everything needs to be secure, just the right parts. The test is whether you can jailbreak the devices and not be detected by their RA scheme. As far as I know, there's no (public) way to do this.

BTW, this tech isn't new. In practice if you are vertically integrating, it's possible to make things secure enough. Games consoles have been doing this for years. Even in the Xbox 360 era, the use of local exploits was detectable the moment you connected to Xbox Live, and AFAIK Xbox One remains completely unmoddable/unjailbroken even after a decade into its lifespan.

There's a tech talk here by a member of the Xbox team who talk about how they secured it against physical attack:

https://www.youtube.com/watch?v=U7VwtOrwceo

But bear in mind, RA was never the weak point even of the 360.

Making remote attestation secure is a well studied problem in the industry. It's been done several times. You have to be a competent tech firm producing your own hardware/software combos, and you need a competent security team, but there are several companies that meet that criteria and Apple is definitely one of them.

So from an attackers perspective nowadays it sounds like focusing on encryption weaknesses and/or hardware issues (e.g. glitching) or firmware vulnerabilities is the right place to look?

I don't know much about Apple's hardware but at least consoles are secured against both those things. They have anti-glitch circuitry. The boot ROM doesn't even do comparisons against computed hashes, it just extends PCRs with them so it's glitch-proof by design even if the core stability monitoring fails. The Xbox One doesn't even expose most of the keys to software at any point. The keys flow from the hardware parts of the security complex to the RAM decryption/hashing engine via dedicated wires on the SoC.

Also, the entire stack is renewable. Unless you find a bug in the boot ROM they will just patch it and months of work will be toast within days. The boot ROMs are (a) encrypted and (b) very heavily reviewed and pen tested. Again, don't know about Apple but all these modern security architectures are more or less the same. The underlying theory is universal and sound, it just boils down to varying levels of cost / effort / backwards compatibility / generality.

So I'd say there are no right places to look anymore. There's always the potential for bugs in the tiny parts of the systems that act as the roots of trust, but these are small pieces of code and it's possible with enough break/fix cycles and review to make them perfect.

All the above rests on a few assumptions:

• Attackers of limited motivation. Xbox guys set a budget of $600 for hacking a specific console. If you're willing to spend more than that on a physical attack then they accept defeat (i.e. FIB workstations are out of scope).

• Platform vendors with tight control over hardware. PCs are insecure against physical attacks by design due to general disagreement and lack of consensus over whether it really matters / what the threat model is. So there are RA schemes but they're hardly used and mostly sold to enterprises wanting to defend against malware.

• Goal is to defend the whole stack. PC platforms can do RA of isolated worlds, this is how SGX works, and it's in theory secure against physical attack (encrypted memory) but SGX enclaves are very limited in what they can do. In theory you could build a secure path to the GPU, but in practice to do that requires a billion NDAs and only works with some GPUs etc and there's no encrypted path for input devices. On iDevices, consoles and other places with vertical integration that's solvable.

God, all this sounds like a nightmare. I can't wait for laws that prohibit platforms/software from refusing service/content to users on the basis of the level of control they have over devices used to interact with it.

Dark times.

Users love this stuff. It lets them buy cheap consoles that are sold below cost and subsidised by game royalties. Heavy gamers subsidise light gamers, and both can effectively "pay off" the true cost of the hardware over time as they buy titles. So it's a bit like zero-interest credit.

Also it eliminates cheating in multiplayer games, and users love that too.

And finally it stops gamers who play by the rules and buy games from feeling like mugs when their mates are playing for free, because there's no piracy.

You think users are going to vote to end all that? They already voted with their feet and embraced consoles on a massive scale. Both console and mobile gaming dwarfs PC gaming.

Consider privacy. One might say "Users love this stuff. They get complex and effective services for free, all in exchange for contributing their data towards ads. Purchasers and advertisers subsidize light users who just consume the content."

And yet, we got laws like GDPR on the ideological basis that personal data is above the concept of "market" and about the individual, period. Your business model be damned.

The same thing should happen here. Both the complete control over all parts/SoCs of a device, and the right to the lack of negative consequences for choosing to exercise that control (such as being second-class citizens on the platform that runs on that device in terms of content/service availability) are paramount to a digital free society, and should be regulated as such, putting them above the concept of "market", just as privacy was.

These same platform controls allow Apple to restrict user data collection from apps. Meanwhile: the notion of a "digital free society" isn't a thing.

I'd much prefer governments use their force of law to make those tracking practices impossible (for anything that isn't an outright criminal enterprise) than a private entity making them technically difficult.

This seems like an argument against defense in depth? I suppose encouraging security researchers to find vulnerabilities is a good thing and obfuscation hinders that.

RA doesn't protect you from kernel exploits.

In some DRM architectures, the key and data encrypted using it is never even exposed to the kernel.

That’s how many high resolution video DRM schemes work.

It lets you detect if the user is running a vulnerable kernel.

Apple's stack is pretty secure. When was the last iPhone jailbreak? I don't follow it closely as I'm not an iPhone user, but it feels like a long time ago now. And if an exploit is found, they can just revoke that kernel version. Apps can then ask users to apply the update to regain access to their streams.

It gets harder and takes longer to jailbreak the iPhone. iOS 15.0 – 15.4.1 was jailbroken - it has been 2 years - I would expect an exploit on 16 already existing and under embargo.

exploits are just kept private by bad actors nowadays.

Apple now gets the worst of both worlds, the harmless jailbreaking scene is dying but the bad actors are still in full force.

How is that the worst of both worlds? The harmless jailbreak world also empowers bad actors.

I never beleived that PR argument

Exactly!