A hacker has decrypted the iPhone's security chip, but your data is still safe


In order to make Touch ID on the iPhone 5s an onward secure, Apple introduced a fairly opaque piece of technology to its devices — the so-called Secure Enclave Processor (or SEP in short). This, in simple terms, is a piece of hardware found in almost every Apple-made device since the 5s which is used to keep users' private data (think passwords, fingerprints, and everything else that requires cryptography) secure, taking the form of a tiny coprocessor kept completely isolated from the rest of the device.

And up until now, the SEP has been a black box to pretty much everyone outside of Apple, as the firmware governing it has been encrypted — or in other words, no one could even see what the processor is actually doing. However, this layer of security has now been compromised, following the public release of the decryption keys by a hacker going by the name xerub on GitHub.

And while this may sound like grim news, it really isn't — user data processed by the SEP is still safe, since the only thing that's been exposed is the firmware that runs on the chip that protects said data. In fact, one might argue that now that it can be accessed, the firmware can be probed by security researchers, and issues not uncovered by Apple (if there are any, that is) can be patched in time, before they're exploited by a malicious third party.

If fact, Apple doesn't seem particularly worried about the release of the keys — an unnamed Apple employee speaking with TechRepublic claimed the company doesn't plan on issuing a fix to the SEP's firmware at this point. Or in other words, don't panic about you security being compromised just yet.

FEATURED VIDEO

41 Comments

1. kevin97

Posts: 90; Member since: Mar 01, 2016

Well, this is how it usually starts...:)

2. yann

Posts: 614; Member since: Jul 15, 2010

I imagine the reaction of Phonearena if it was Android failure. Really fanboy site.

27. Finalflash

Posts: 4063; Member since: Jul 23, 2013

Can you see how hard they're trying to spin this? iPA: "LOOK GUYS, its a feature, now people can do Apple's job for them by telling them about their failures." And then they go on to happily explain that Apple will do exactly what they do when exploited... nothing (which is also good for your apparently).

3. sgodsell

Posts: 7368; Member since: Mar 16, 2013

Well I am waiting for the Apple zealots like kiko007, mikehunta727, cnour, and others to defend iOS, and tell everyone it's safe. Or they will say it's still the safest and most secure OS. Yeah, right. Oh, if anyone is interested here is a hack that anyone can do to break into anyone's iPhone 7/7+. https://youtu.be/IXglwbyMydM

5. Ninetysix

Posts: 2964; Member since: Oct 08, 2012

Please hack my iPhone.

28. Finalflash

Posts: 4063; Member since: Jul 23, 2013

No one wants your nudes bro, no one wants to lose their vision for internet points.

11. apple-rulz

Posts: 2115; Member since: Dec 27, 2016

iOS is safe. Also please feel free to hack into my iPhone 7 Plus, or my iPhone 6S Plus, and post your findings here for everyone to see.

21. Wickedsamaritan

Posts: 83; Member since: Aug 11, 2017

Since No one gives a s**t about you.. you can keep your s**tty devices. No problem!

23. trojan_horse

Posts: 5868; Member since: May 06, 2016

Savage, but true.

25. apple-rulz

Posts: 2115; Member since: Dec 27, 2016

Translation; iPhones can't be hacked, least of all by idiots like Wickedsamaritan and trojanhorse, so they'll deflect. Don't worry girls, I've got plenty of butthurt ointment I'd love to spread on your sweet holes. LMAO!!!!

30. lyndon420

Posts: 6790; Member since: Jul 11, 2012

Amen to that!!

36. sgodsell

Posts: 7368; Member since: Mar 16, 2013

Send it to me, please.

13. mikehunta727 unregistered

Apple zealot? Are you okay? I live in objective reality and look at things objectively, I can give credit where it's due because I ain't no fanboy for anything. All they did with the 5S SEP is decrypt the software running on the enclave, they can't unlock the enclave at all still, the door is still locked, like a room with windows, you can see inside but can't get in still This currently only affects the 5S and doesn't give up the data inside still And yeah that's cool, you showed me a box hacking a iPhone.. things like this will get patched nearly immediately for the user base and get more fortified. It doesn't matter what you link me because it doesn't change the fact that iOS is regarded as being more secure Latest version of Android is quite secure from what it used to be but it still is missing some important security features that were in iOS 5, years ago. Here, let the CEO of Zerodium talk actually (bigest blackhat hacking group out there in the world) ; https://arstechnica.com/information-technology/2016/09/1-5-million-bounty-for-iphone-exploits-is-sure-to-bolster-supply-of-0days/ "Prices are directly linked to the difficulty of making a full chain of exploits, and we know that iOS 10 and Android 7 are both much harder to exploit than their previous versions," he told Ars. Asked why a string of iOS exploits commanded 7.5 times the price of a comparable one for Android he said: "That means that iOS 10 chain exploits are either 7.5 x harder than Android or the demand for iOS exploits is 7.5 x higher. The reality is a mix of both." "A controversial broker of security exploits is offering $1.5 million (£1.2 million) for attacks that work against fully patched iPhones and iPads, a bounty that's triple the size of its previous one. Zerodium also doubled, to $200,000, the amount it will pay for attacks that exploit previously unknown vulnerabilities in Google's competing Android operating system $1.5 million for each iOS exploit vs $200,000 for Android vulnerability. User base being able to receive update same day globally is a big advantage also. Common sense. Us folks at r/Android can actually have serious dialogue over iOS vs Android without zealoting out and keeping a closed mind and eye to each advantage/disadvantage. It's normal when your a all around technology lover and not a fanboy and love one thing only Logic > past your head Get some good rest now godsell

16. BuffaloSouce unregistered

Are you that sensitive to the internet that you have to write an essay defending yourself?

17. mikehunta727 unregistered

Half is quotes, from Zerodium's CEO. A bit clear that you didn't read it but honestly I could care less if you did or didn't I don't usually bother but sometimes you just got to put some people in their place once in a while. No harm in that. Hopefully my posts can enlighten some actually because I remain neutral with technology and can have some constructive, objective dialogue about products, etc

22. lyndon420

Posts: 6790; Member since: Jul 11, 2012

No one reads the other commenter(s) essays...very few of us are interested in articles within article comment sections.

24. mikehunta727 unregistered

Like I said I honestly don't care who does and who doesn't. Doesn't change the fact that my posts are mostly objective and based on current facts.. I'm open for constructive objective dialogue on technology

37. yann

Posts: 614; Member since: Jul 15, 2010

Fact: For 500$ you can buy the box that will brootforce your pin code and will allow access to your iPhone 7/7+. All your files and photos on the phone will be accessible. Point!

39. mikehunta727 unregistered

That's patched in iOS 11, which comes out to the whole user base in under a month. Your also forgetting that this hack is essentially useless because the passcode has to be changed within 10 minutes for the box to work, good luck finding a device with a passcode that has just been changed within 10 minutes of having it in your possession. It'll never happen. It's just a little cute bug that was found Plus you need to steal the device to do it, that's even if before the device gets locked by activation lock from the owner of the device. It's completely useless in under a month. You can do the very same thing to Android devices without having to buy a $500 device. The situation is a lot worse on Android in terms of security of the whole user base

40. mikehunta727 unregistered

This black box can't affect anyone at all in the real world because you'll never find a device that has had it's passcode changed in that 10 minute window you have only to be able to hack through it with the box. After 10 minutes of the passcode being changed, the black box can't hack through it, aka useless and patched in iOS 11 which hits the billion plus user base of iOS next month

4. nikhil23

Posts: 442; Member since: Dec 07, 2016

Guy captures retina of a person using hi def camera and prints it and uses some other stuff to fake iris scanner and people went crazy saying it's not safe bla bla bla. Guy hacks the security layer of coprocessor and people are like meh.. Apple might send an update to patch it.

8. peace247 unregistered

Ikr.. Isheeps

10. cmdacos

Posts: 4208; Member since: Nov 01, 2016

There are theories out there, especially since we haven't seen any mass replication of the iris hack, that the original demonstration of the virus back could have been actually done by training the iris sensor to recognize the fake iris in setup. Not sure if its true and could just be conspiracy.

6. PhoneCritic

Posts: 1354; Member since: Oct 05, 2011

hold it right there!! Just hold it right there!! Think about this statement "And while this may sound like grim news, it really isn't — user data processed by the SEP is still safe, since the only thing that's been exposed is the firmware that runs on the chip that protects said data. In fact, one might argue that now that it can be accessed, the firmware can be probed by security researchers, and issues not uncovered by Apple (if there are any, that is) can be patched in time, before they're exploited by a malicious third party." It protects said data- It protects said data and has been hacked. Come on this is serious!!! Is PA assuming that it has not already been exploited? That is a big assumption I don't think anyone wants to even contemplate. "If fact, Apple doesn't seem particularly worried about the release of the keys — an unnamed Apple employee speaking with TechRepublic claimed the company doesn't plan on issuing a fix to the SEP's firmware at this point. Or in other words, don't panic about you security being compromised just yet." How many times have we heard this before? Wait!! Wait!! Wait!! when a company tells you not to panic its time to panic. Remember Atena? they said the breach was small then later is was reveled that millions of records were compromise? Remember -Target and home depot? they said the breach was small then later is was reveled that millions of records were compromise? Remember United health care? they said the breach was small then later is was reveled that millions of records were compromise? The point is everyone should start by checking their information credit cards bank accounts and place fraud alerts immediately. Again we should learn from history that when a big corporation gets hack ( Google, Samsung, Microsoft, Apple etc..) that has our information they will always play it down and tell us not to panic but meanwhile behind the scene they are scrambling to get a grip on just how bad things are before the release their first press statement that indeed a few thousand accounts were access but it was all stall info. Then six months later they drop the bomb that millions were affected and that their users should check their credit and accounts for fraudulent information which by that time its too late. So PA should know better than this and be telling its users to please keep an eye on their accounts.

31. Leo_MC

Posts: 7432; Member since: Dec 02, 2011

Dude, when someone hacks the calculator app, it doesn't mean that someone had access to your messages.

7. RoboticEngi

Posts: 1251; Member since: Dec 03, 2014

This is hilarious....iphone component gets hacked and it is a positive thing

18. PhoneCritic

Posts: 1354; Member since: Oct 05, 2011

I don't get it it this is seriously wrong. I don't think if Knox was compromised that PA would be down playing it and neither should they as this is Serious stuff. Its not a iris scanner or a pin But the actual stand alone processor that seems to be responsible for the very encryption on the device.

32. Leo_MC

Posts: 7432; Member since: Dec 02, 2011

All hacks are positive, because they teach the producers to do better security systems.

33. RoboticEngi

Posts: 1251; Member since: Dec 03, 2014

Spoken as a true sheep

35. Leo_MC

Posts: 7432; Member since: Dec 02, 2011

If that's what it means to be "sheep", I'm proud to be one.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.