What code is running on Apple's Secure Enclave security chip? Now we have a decryption key...
Ladies and gentlemen, start your ARM disassemblers
Apple's Secure Enclave, an ARM-based coprocessor used to enhance iOS security, became a bit less secure on Thursday with the publication of a firmware decryption key.
The key does not provide access to the Secure Enclave Processor (SEP). Rather, it offers the opportunity to decrypt and explore the otherwise encrypted firmware code that governs it, affording security researchers and other curious types a chance to learn more about how the technology works.
A hacker who goes by the name "xerub" on Twitter and GitHub posted the key on Twitter and to the iPhone Wiki, a community website that documents technical information used to pry inside Apple devices.
"This is very nice for security researchers, in my opinion," said Will Strafach, CEO of the Sudo Security Group, in an email to The Register. "It is not as useful for jailbreaking, because jailbreaking targets the main AP [application processor], not the SEP. This makes the firmware more accessible to security researchers who may not know much about the iOS platform."
Used in conjunction with xerub's img4lib, the key should be able to decrypt an iPhone 5s IMG4 SEP (Secure Enclave Processor) firmware image, which can then be processed further with a tool called sepsplit to extract the executable binaries from the image.
"This key being available does not reduce security of the Secure Enclave in any way," said Strafach. "Secure Enclave has the main task of protecting sensitive content, but the firmware decryption key is more comparable to 'obfuscation' rather than anything related to protection of the actual content stored."
According to Apple's technical documentation, the Secure Enclave coprocessor is built into Apple S2 (Watch Series 2), A7 (iPhone 5S, iPad Air, Mac Mini 2 and 3), and subsequent A-series chips.
In devices powered by the A9 (iPhone 6S, 6S Plus, SE, and 2017 iPad) and later generations of silicon, the coprocessor generates the Unique ID (UID) number and keeps it segregated from the rest of iOS.
On startup, these devices create a temporary key, incorporating the UID, to encrypt the Secure Enclave's portion of device memory space. This temporary key is also used to authenticate the Secure Enclave's memory, except on A7 devices.
The Secure Enclave also handles the processing of fingerprint scan data from the device's Touch ID sensor, in order to match it with registered fingerprint data.
Apple's Secure Enclave until recently has been largely inscrutable to outsiders. Last year, security researchers Tarjei Mandt, Mathew Solnik, and David Wang lifted the veil a bit with a presentation at the Black Hat security conference.
The researchers said Apple's security hardware design is "light years ahead of competitors" but also noted potential avenues of attack. SEPOS, the Secure Enclave's operating system, lacks basic exploit protections like memory layout randomization, they said, and also observed that its biometric application has a significant attack surface.
The iPhone 5s was released in September, 2013, so too much should not be made of the security implications of xerub's key. Apple has introduced security improvements since then and more can be expected with the arrival of new devices and OS 11 this fall.
Apple did not immediately respond to a request for comment. ®
PS: People have noticed iOS 11 has a cool feature where if you tap the power button five times rapidly it opens a screen, even if the device is locked, that allows you to make an emergency call. Crucially, it forces you to enter a passphrase to unlock the device, rather than accept Touch ID. And cops, in the US at least, can't demand your PIN because that would be self incrimination. Just an FYI.