A hacker Thursday afternoon published what he says is the decryption key for Apple iOS’ Secure Enclave Processor (SEP) firmware.
The hacker, identified only as xerub, told Threatpost that the key unlocks only the SEP firmware, and that this would not impact user data.
“Everybody can look and poke at SEP now,” xerub said.
— ~ (@xerub) August 16, 2017
Apple did confirm to Threatpost that if the key was legitimate, that user data would not be at risk from this leak. Apple has reportedly yet to confirm the validity of the key.
The Secure Enclave, as explained in the iOS Security Guide, is a coprocessor onto itself inside the mobile operating system. Its job is to handle cryptographic operations for data protection key management; its separation from the rest of iOS maintains its integrity even if the kernel is compromised, Apple said in the guide.
Primarily, the Secure Enclave processes Touch ID fingerprint data, signs off on purchases authorized through the sensor, or unlocks the phone by verifying the user’s fingerprint.
Publishing of the key now exposes the Secure Enclave to researchers and attackers alike, both of which will be able to examine the previously walled-off processor for vulnerabilities and gain insight into how it operates.
“Hopefully Apple will work harder now that they can’t hide SEP, resulting in improved security for users,” xerub said.
Xerub would not provide any details on how he decrypted the key, nor would he comment on whether he looked for, or found any, vulnerabilities in the Secure Enclave once he had access. He also would not comment on whether he privately disclosed his finding to Apple in advance.
“This isn’t really bad in my opinion,” said Patrick Wardle, chief security researcher at Synack and founder of Objective-See. “[This] just means the security researchers, and yes hackers, can now look at the firmware for bugs. Before, it was encrypted so they couldn’t audit and analyze it. Is a system less secure if people can’t audit it? I think, yes.”
The question that’s left out in the open is whether xerub was able to leverage a vulnerability or weakness in Secure Enclave to decrypt the key, and whether Apple will be able to implement a new encryption key for Secure Enclave, should it choose to do so.
Until today, there had been very little public information about Secure Enclave. Apple is notoriously tight-lipped about security and infrequently talks about the machinations keeping iOS or any of its platforms safe.
A 2016 Black Hat presentation, below, on Secure Enclave by Azimuth Security’s Tarjei Mandt, Mathew Solnik and David Wang, was one of the deepest dives behind this mysterious curtain. The researchers did go into some high-level detail about its design and security resilience, but little is known about its implementation.
As for TouchID, it’s been available since the iPhone 5S was released and iPad2. In addition to unlocking the phone with a fingerprint, users could likewise approve transactions through Apple Pay, the Apple App Store, iBooks and other online stores. The Secure Enclave watches over it, processing finger print data and determining whether there is a match against fingerprints the user has already registered on the device, the iOS Security Guide says.
“Communication between the processor and the Touch ID sensor takes place over a serial peripheral interface bus,” the iOS Security Guide says. “The processor forwards the data to the Secure Enclave but can’t read it. It’s encrypted and authenticated with a session key that is negotiated using the device’s shared key that is provisioned for the Touch ID sensor and the Secure Enclave. The session key exchange uses AES key wrapping with both sides providing a random key that establishes the session key and uses AES-CCM transport encryption.”