It’s Not Exactly Open Season on the iOS Secure Enclave

Despite yesterday’s leak of the Apple iOS Secure Enclave decryption key, experts are urging calm over claims of an immediate threat to user data.

The black box that is Apple’s iOS Secure Enclave may have been pried open, but that doesn’t necessarily mean it’s open season on iPhones and iPads worldwide.

Yesterday’s public disclosure of the decryption key for the Secure Enclave Processor firmware does indeed allow white and black hats to poke and probe about for vulnerabilities. And while finding a bug is one thing; exploiting it may be quite another.

Very little granular detail has been made public about what’s going on inside Secure Enclave. Probably the best known insight was provided during a 2016 Black Hat talk given by Azimuth Security researchers Tarjei Mandt, David Wang and Mathew Solnik.

They were able to reverse engineer the Secure Enclave Processor (SEP) hardware and software, and determined that while the hardware was state-of-the-art—or better—the software left a bit to be desired. Wang was interviewed on the Risky Business podcast (interview begins at 31:24) nearly a year ago and told host Patrick Gray that there were very little in the way of memory mitigations, though he could see that Apple was constantly tinkering with the security of the Secure Enclave’s software with each successive update.

“We think the hardware is light years ahead of the competition; the software, not so much,” Wang said. “It’s missing a lot of modern exploit mitigation technology; it’s pretty much unprotected.”

This was also disclosed during the Black Hat presentation where it was revealed that things such as ASLR or stack cookie protections were missing at the time.

Mandt, however, yesterday echoed what other researchers have been saying since the key was published: the immediate threat to users is negligible.

“Our research from last year also showed that doing this typically requires additional vulnerabilities in iOS in order to enable an attacker to communicate arbitrary messages (data) to the SEP,” Mandt told Threatpost. “It is also worth noting that Apple by now presumably has addressed the shortcomings that we highlighted last year regarding exploit mitigations, making exploitation harder.”

According to the most recent iOS Security Guide, communication between the Secure Enclave and the iOS application processor—which is entirely separated from the SEP—is done through “an interrupt-driven mailbox and shared memory data buffers.”

As for the lack of ASLR or stack cookies, Wang told Risky Business this could be due to a lack of computing resources in the Secure Enclave microkernel needed to support these mitigations.

The Secure Enclave, as explained in the iOS Security Guide, is a coprocessor onto itself inside the mobile operating system. Its job is to handle cryptographic operations for data protection key management; its separation from the rest of iOS maintains its integrity even if the kernel is compromised, Apple said in the guide. Primarily, the Secure Enclave processes Touch ID fingerprint data, signs off on purchases authorized through the sensor, or unlocks the phone by verifying the user’s fingerprint.

The key was published by a hacker known only as xerub, who refused to identify himself or provide any detail on how he derived the key or whether he found any vulnerabilities in the Secure Enclave. Apple acknowledged the report, but as of yesterday still had not confirmed the legitimacy of the key xerub published. The key unlocks only the SEP firmware; user data is not at risk, xerub told Threatpost.

The disclosure also harkened back to Apple’s decision last June to release an unencrypted version of the iOS 10 kernel to beta testers. “The kernel cache doesn’t contain any user info, and by unencrypting it we’re able to optimize the operating system’s performance without compromising security,” Apple said at the time.

The decision sparked similar concerns as to yesterday’s leak, that attackers as well as legitimate researchers would be able to find and potentially exploit vulnerabilities in the kernel. Apple’s contention is that the move ultimately improves security with more researchers examining the code for bugs and privately disclosing them to the company or through its bug bounty program. Such a move also potentially weakens gray-market sales for iOS bugs, or government hoarding of bugs.

Yesterday’s news set off another flurry of angst as to the ongoing security of iOS and what would happen now that the firmware had been unlocked.

“I wouldn’t say there is any immediate threat to users at this point,” Azimuth Security’s Mandt said. “Although the key disclosure allows anyone to analyze the software that is running on the SEP processor, it still requires an attacker to find and exploit a vulnerability in order to compromise SEP.”

Suggested articles