Hacker Releases Firmware Decryption Key for Apple's Secure Enclave

by

A hacker released what he claimed to be a firmware decryption key for Apple's Secure Enclave on Thursday, initially sparking fears that iOS security had been compromised.

Apple's Secure Enclave Processor (SEP) handles all cryptographic operations for the Apple Watch Series 2, the A7 processor that powers the iPhone 5s, the iPad Air, the iPad mini 2 and 3, and subsequent A-series chips. The encrypted SEP is completely isolated from the rest of the system and handles Touch ID transactions, password verifications, and other security processes on a separate OS to maintain data protection integrity even if the kernel has been compromised.

One of the ways the SEP does this is by generating a Unique ID (UID) for each device for authentication purposes. The UID automatically changes every time a device is rebooted and remains unknown to other parts of the system, further enhancing its security.

Beyond that, little is known about how the SEP actually works outside of Apple, but that's by design – the enclave's isolation serves to obfuscate it from the rest of the system, preventing hackers from rifling through its code to make it as secure as possible.


The decryption key posted on GitHub yesterday would not enable hackers to access data stored inside the Secure Enclave, but it could allow hackers and security researchers to decrypt the firmware that controls it and potentially spot weaknesses in the code.

Speaking to TechRepublic, the hacker that released the key claimed that Apple's effort to obfuscate the code was itself cause for concern.

"The fact that the SEP was hidden behind a key worries me," said xerub. "Is Apple not confident enough to push SEP decrypted as they did with kernels past iOS 10?" He added that while SEP is amazing tech the fact that it's a "black box" adds very little, if anything to security. "Obscurity helps security — I'm not denying that," he said, but added that relying on it for security isn't a good idea.

"I think public scrutiny will add to the security of SEP in the long run," xerub said, noting that was also his intention with releasing the key.

Xerub claimed it's theoretically possible that the decryption key could be used to watch the SEP do its work, which could potentially allow hackers to reverse-engineer its process and gain access to its contents, including passwords and fingerprint data. However, he admitted that a lot of additional work would need to go into exploiting the decrypted firmware.

It's still unclear what the longer term repercussions could be, but an Apple source who wished to remain anonymous told TechRepublic that the release of the SEP key doesn't directly compromise customer data.

"There are a lot of layers of security involved in the SEP, and access to firmware in no way provides access to data protection class information," they said. "It's not an easy leap to say it would make getting at customer data possible."

More accurately, it makes research into the structure of the SEP possible, which could allow hackers to find flaws in its workings. Apple said it did not plan to roll out a fix at this time.

Top Rated Comments

(View all)
Avatar
40 months ago
This is why good security generally involves lots of layers, the "onion" strategy. Getting past one layer is a problem, but not one that (in isolation) is a meaningful security breach.

Another way to think of it — The SEP came out with the iPhone 5s 4 years ago. So this encryption layer has prevented 4 years worth of hacking attempts on the deeper layers, which is time Apple has most likely been spending improving those layers. It might also be possible for Apple to re-apply this outer layer in subsequent iPhones, or maybe even with a firmware patch, thereby resetting the clock again.

So yeah, it's unfortunate that it's been hacked, but I still feel relaxed about my iPhone's security.
Score: 19 Votes (Like | Disagree)
Avatar
40 months ago
As far as privacy and security go, I still sleep just fine at night in Apple's ecosystem.
Score: 10 Votes (Like | Disagree)
Avatar
40 months ago

"Obscurity helps security — I'm not denying that," he said, but added that relying on it for security isn't a good idea.

No, it is not, but am I missing something here or is there no indication Apple is doing that? Just because they have now _added_ a layer of security doesn't imply that they're _relaxing_ another layer of security and not taking auditing their SEP code seriously?

I am absolutely certain that Apple's security experts have heard of the saying "Security through obscurity" and its fallacies... It is a fallacy to replace one with the other, but not use both in tandem.
Score: 7 Votes (Like | Disagree)
Avatar
40 months ago
It's only a matter of time, but this is what you get when hackers and script kiddies are never jailed for their crimes, hack the defence networks oh sure jail you, hack a mass market consumer device or steal millions of people's details and passwords then you get a slapped wrist, and a nicely paid job in a security firm....
Score: 7 Votes (Like | Disagree)
Avatar
40 months ago
Only going to help the users out but;

How does he criticize apple for obfuscation of the SEP (makes it hard to read) claiming that Apple doesn't have confidence in it being uncrypted like it's kernels but then adds that right now there's no way of knowing if obfuscation is the only form of security. How can you criticize obfuscation as Apples plan for hackers when you don't know if that's all they do....
Score: 6 Votes (Like | Disagree)
Avatar
40 months ago

I'm going to go out on a limp and say . . .

Apropos of nothing, I love this typo.
Score: 5 Votes (Like | Disagree)

Top Stories

Here's How You Can Download iOS 14 and iPadOS 14 Around the World [It's Out]

Wednesday September 16, 2020 2:36 am PDT by
Apple's official public release of iOS 14 and iPadOS 14 dropped on Wednesday, September 16, just a day after the company released the Golden Master to third-party developers. Also set to be made available to the general public for the first time are watchOS 7 and tvOS 14. Getting Started With iOS 14 Video Click image to watch iOS 14 Getting Started While that's left a lot of developers...

When Will the iPhone 12 Launch? Here's What We Know

Wednesday September 16, 2020 6:12 am PDT by
Yesterday's "Time Flies" Apple event saw the release of the Apple Watch Series 6, Apple Watch SE, iPad 8, and iPad Air 4, but no new iPhone models. Rumors before the event strongly alleged that it would not see the unveiling of new iPhones, with many reports pointing to an October launch. The lack of new iPhone models yesterday seems to confirm that the iPhone 12 lineup will not appear...

Apple Releases iOS 14 and iPadOS 14 With Home Screen Redesign, App Library, Compact UI, Translate App, Scribble Support, App Clips, and More

Wednesday September 16, 2020 12:48 pm PDT by
Apple has released iOS 14 and iPadOS 14, the newest operating system updates designed for the iPhone and iPad. As with all of Apple's software updates, iOS 14 and iPadOS 14 can be downloaded for free. iOS 14 is available on the iPhone 6s and later, while iPadOS 14 is available on the iPad Air 2 and later. The updates are available on all eligible devices over-the-air in the Settings app. To ...

Apple Releases Safari 14 for Mac Ahead of macOS Big Sur Launch

Wednesday September 16, 2020 1:40 pm PDT by
macOS Big Sur didn't launch alongside iOS 14, iPadOS 14, tvOS 14, and watchOS 7 today, with the update coming later this fall, but Apple did release the Safari 14 update for macOS Catalina and macOS Mojave users. Safari 14 brings improved performance, customizable start pages, a Privacy Report to see which cross-site trackers are being blocked, and a new tab bar design that provides tab...

Apple Updates AirPods 2 and AirPods Pro Firmware to Version 3A283

Monday September 14, 2020 11:24 am PDT by
Apple today released new 3A283 firmware updates for the second-generation AirPods and the AirPods Pro. The second-generation AirPods are being updated from the 2D15 firmware they were previously running, while the AirPods Pros are being updated from the 2D27 firmware they had installed previously. Apple does not provide details on what's included in refreshed firmware so we don't know what's ...

iOS 14 Picture in Picture No Longer Working With YouTube's Mobile Website in Safari [Without Premium]

Friday September 18, 2020 12:21 pm PDT by
Apple in iOS 14 added Picture in Picture to the iPhone, a feature designed to let you watch a video in a small screen on your device while you continue to do other things on the phone. When Picture in Picture was working with YouTube The YouTube app doesn't support Picture in Picture, but up until yesterday there was a functional workaround that allowed videos from YouTube.com to be watched...

Hands-On With the New Apple Watch Series 6 and Apple Watch SE

Friday September 18, 2020 1:19 pm PDT by
Today's the official launch date for the Apple Watch Series 6 and the Apple Watch SE, both of which Apple announced on Tuesday. We picked up a couple of the new models and thought we'd give them a quick look for MacRumors readers thinking of ordering a new watch. Apple Watch Series 6 & Apple Watch SE Hands-On! When it comes to design, both the $399 Series 6 and the $279 SE look just like...

iOS 14.2 Beta Adds New Shazam Music Recognition Feature for Control Center

Thursday September 17, 2020 3:36 pm PDT by
Apple today released the first beta of iOS 14.2 to developers for testing purposes, and the new update introduces a Music Recognition control for the Control Center. The new feature lets you discover music playing around you and it recognizes the music playing with in apps, even when you're wearing AirPods. Songs pop up as notifications, and you can tap to listen in Apple Music....

8 Third-Party Home Screen Widgets That You Can Try Out Now on iOS 14

Wednesday August 5, 2020 12:56 pm PDT by
One of the biggest new features of iOS 14 is Home Screen widgets, which provide information from apps at a glance. The widgets can be pinned to the Home Screen in various spots and sizes, allowing for many different layouts. When the iOS 14 beta was first released in June, widgets were limited to Apple's own apps like Calendar and Weather, but several third-party developers have begun to test ...

Apple Releases watchOS 7 With New Watch Faces, Family Setup, Sleep Tracking, Handwashing Help and More

Wednesday September 16, 2020 12:47 pm PDT by
Apple today released watchOS 7, the newest version of the watchOS operating system designed to run on modern Apple Watch models. The watchOS 7 update comes after several months of beta testing. ‌watchOS 7‌ can be downloaded for free through the dedicated Apple Watch app on the iPhone by going to General > Software Update. To install the new software, the Apple Watch needs to have at...