The Apple Secure Enclave is an ARM-based coprocessor that enhances iOS security, but on Thursday a hacker published what he says is the decryption key for Apple iOS’ Secure Enclave Processor (SEP) firmware.
According to Apple technical documentation, the Secure Enclave coprocessor is built into Apple S2 (Watch Series 2), A7 (iPhone 5S, iPad Air, Mac Mini 2 and 3), and subsequent A-series chips.
The coprocessor generates the Unique ID (UID) number and keeps it segregated from the rest of iOS for all devices powered by the A9 (iPhone 6S, 6S Plus, SE, and 2017 iPad) and later generations of silicon,
The Secure Enclave also handles the authentication process based on fingerprint gathered through the device’s Touch ID sensor.
The hacker, who goes online with the moniker “xerub” explained that the decryption key unlocks only the SEP firmware, and not user data. xerub published the key also on GitHub and to the community website iPhone Wiki.
“Everybody can look and poke at SEP now,” xerub said.
— ~ (@xerub) August 16, 2017
The key allows to decrypt and explore the encrypted firmware code, a gift for experts and hackers that can have more information about the iOS platform.
Using the key in conjunction with xerub’s img4lib it is possible to decrypt an iPhone 5s IMG4 SEP (Secure Enclave Processor) firmware image. The decrypted data can be analyzed with a tool called sepsplit to extract the executable binaries from the image.
Since the release of the iPhone 5s in 2013, Apple has introduced many security improvements and others are announced with the forthcoming devices and OS 11.
At the 2016 Black Hat, a group of security researchers made an interesting presentation on the Apple’s Secure Enclave providing some high-level technical details about its design and security features.
(Security Affairs – Secure Enclave chip, Apple)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.