A recent tweet by hacker @xerub confirms that the Apple Secure Enclave firmware has been decrypted. The Secure Enclave Processor (SEP) is a microchip that processes security related requests (Touch ID transactions, passwords, and other security processes) for iOS devices. Since the release of the iPhone 5S, there has been a tiny co-processor embedded into the main processor chip. The SEP runs entirely separate from the other components and even has its own Operating System, updates, and is completely isolated. The primary goal of this chip is to protect the devices’ unique ID (UID).
How Apple’s Encryption Works
Apple uses a 256-bit device unique secret key – this is the UID. This ID is stored in the SEP because it’s separate from the other components and harder for hackers to compromise or guess. In this way, they are securing your encrypted files from 3rd parties – and preventing a 3rd party from decrypting your data by ensuring that the UID is strong (compared to encrypting data using a standard password, this is a 256-bit key that is unique to each device). Apple then takes your UID and and combines it with your password to generate the passcode key. That passcode key is then used to secure the other important data on your phone. Only the device itself knows the UID – and since the UID cannot be removed from the SEP – all attempts to brute force passwords must be done on the device itself. As well, each attempt requires 80ms before executing the next attempt which means that cracking a password would be extremely time consuming (it would take about 5.5 years for a random 6-character password of lowercase letters and numbers. PINs take much less time, sometimes as little as 30 minutes to crack). The two major pieces that come together are: 1) the user setting a strong password and 2) the inability to obtain the UID. Since the UID appears to be connected to AES circuitry by a dedicated path, software can set it as a key, but never extract it. This lends credence to Apple’s claims that no software can extract the UID – not even Apple themselves. For those looking for more information: https://blog.cryptographyengineering.com/2014/10/04/why-cant-apple-decrypt-your-iphone/
Now that the SEP has been decrypted and its firmware is publically available, hackers are now able to search deeper within the SEP firmware for possible vulnerabilities in an effort to discover the UID since the firmware used to generate this UID is no longer hidden behind encryption itself. According to @xerub,
“Decrypting the firmware itself does not equate to decrypting user data”
and there would be lots of additional work that would need to go into exploiting a decrypted firmware. Apple currently has no plan to deploy a fix at this time. An apple employee commented on the matter stating, “There are a lot of layers of security involved in the SEP, and access to firmware in no way provides access to data protection class information”. They went on to state that it’s, “Not an easy leap to say it would make getting at customer data possible.” Instead, the decrypted SEP makes research into its structure possible, which is where hackers could find flaws that allow them to continue digging deeper.
- The decryption key for the Apple Secure Enclave Processor (SEP) firmware is publically available. The SEP handles all iOS password and touch ID encryption, and decrypting it could mean security problems in the future. Apple has no plans for a fix at this time.
- While Apple’s SEP firmware has been decrypted, it hasn’t been compromised. This just means that programmers can see the code that is used for the SEP chip. It doesn’t mean that they can grab user data from your device, they can only see how the SEP works. Decrypted ≠ Exploited
- This does mean that hackers can search through the SEP source code to find vulnerabilities in Apple’s code. This also means that you should be on the look-out for exploits in the future. You might want to change your PIN or password to something more secure so that it takes hackers longer to decrypt your data if the SEP does get compromised.