Security researchers have recently revealed a vulnerability in the Secure Enclave Processor, but while the data store for sensitive information means data including Apple Pay details and Face ID biometric records are potentially at risk to attackers, the reality is that it is still extremely unlikely to be a major issue for the vast majority of Apple customers.
On July 24 at the MOSEC Mobile Security Conference in Shanghai, China, a talk by security researcher Xu Hao of Team Pangu revealed there was an issue with Apple's Secure Enclave Processor. The team was able to discover a problem with the chip that made it vulnerable, one that it deemed to be "unpatchable" by Apple.
The Secure Enclave consists of a hardware-based key manager that is isolated from the main processor, which is used to hold highly sensitive data that users want to keep private, typically relating to security or payments. It is also capable of maintaining the integrity of cryptographic operations fro the system, even if the kernel of the device's operating system has been compromised.
The Secure Enclave Processor is an important part of the security for many Apple products, including the iPhone 5s and later, the iPad Air and later, Apple Watch Series 1 and later, fourth-generation Apple TV, the HomePod, and Macs that contain the T1 or T2 Security Chip.
Despite advising of the existence of the vulnerability at the conference, Team Pangu declined to provide many details about how it can be performed. No reason was offered for this, but the team are likely interested in either providing the information to Apple as part of its lucrative bug bounty operation, or to a third party for potentially more money and the possibility of it being used for malicious purposes.
What We Know
What is known about the error is that it is not a vulnerability of the Secure Enclave Processor itself, according to MOSEC's Weibo account's explanation spotted by YaluJailbreak. Instead, it is a problem with a memory controller that takes control of the TZ0 register memory, which manages the range of the Secure Enclave Processor's memory usage.
By taking control of the TZO register, this can allow an attacker to alter how the memory isolation system of shared memory between the SEP and the main processor functions. In turn, this could feasibly be used to acquire data that would normally be viewed and used by only the Secure Enclave, making it a security risk.
It is claimed that, as the issue involves read-only ROM built into the chip, the vulnerability cannot be plugged via an Apple software update, and is considered a hardware vulnerability.
Despite the permanent nature of the vulnerability, it is quite a difficult one to be abused or to be used for attempted malicious jailbreaks to try and read the stored SEP data.
Not as bad as it seems
It is thought that the vulnerability only affects devices that are compatible with the checkra1n jailbreak or the checkm8 exploit. Furthermore, as devices using an A12 or A13 system-on-chip do not currently have a BOOTROM exploit, it is practically impossible to determine if the bug exists, meaning it cannot affect the iPhone XS and iPhone XR generation or later iPhone models.
Security researcher @axi0mX also advises in a Twitter thread that the issue cannot be used in browser-based or app-based jailbreaks, as well as Apple's various hardware and software mitigations further limiting the ways such an attack could be made. Due to the limitations imposed by Apple's security, a successful attack would require physical access to the device and a connection to a host system, effectively ruling out any remote abuse via the vulnerability.
Security implications of this SEPROM vulnerability are not as bad as you might think:— axmX (@axi0mX) July 25, 2020
(1) Browser-based (nation states) or app-based (community) jailbreaks cannot use it, because the value in TZ0 register is locked and cannot be changed after boot.
To end-users, while the vulnerability of the Secure Enclave may seem scary, it is highly unlikely to affect the average iPhone user. The only real feasible reasons this could work would be if a government agency or law enforcement confiscated an iPhone as part of an investigation, or an extremely involved hack for political or corporate espionage reasons, situations most people won't find themselves in at all.
This is not the only time the Secure Enclave has seemingly shown weakness. In 2017, the decryption key for the Secure Enclave used in an iPhone 5s was revealed in similar research efforts, but while it didn't make the Secure Enclave insecure, it did provide an opportunity for security researchers to examine the Secure Enclave's firmware in more detail than before.