All Your iPhone Are Belong To Us

Apple’s commitment to customer privacy took the acid test after the San Bernadino shooting incident. Law enforcement demanded that Apple unlock the shooter’s phone, and Apple refused. Court cases ensued. Some people think that the need to protect the public outweighs the need for privacy. Some people think that once they can unlock one iPhone, it won’t stop there and that will be bad for everyone. This post isn’t about either of those positions. The FBI dropped their lawsuit against Apple. Why? They found an Israeli firm that would unlock the phone for about $5,000. In addition, Malwarebytes — a company that makes security software — reports that law enforcement can now buy a device that unlocks iPhones from a different company.

Little is known about how the device — from a company called Grayshift — works. However, Malwarebytes has some unverified data from an unnamed source. Of course, the exploit used to break the iPhone security is secret because if Apple knew about it, they’d fix it. That’s happened before with a device called IP-box that was widely used for nefarious purposes.

Continue reading “All Your iPhone Are Belong To Us”

Apple’s Secure Enclave Processor (SEP) Firmware Decrypted

The decryption key for Apple’s Secure Enclave Processor (SEP) firmware Posted Online by self-described “ARM64 pornstar” [xerub]. SEP is the security co-processor introduced with the iPhone 5s which is when touch ID was introduced. It’s a black box that we’re not supposed to know anything about but [xerub] has now pulled back the curtain on that.

The secure enclave handles the processing of fingerprint data from the touch ID sensor and determines if it is a match or not while it also enables access for purchases for the user. The SEP is a gatekeeper which prevents the main processor from accessing sensitive data. The processor sends data which can only be read by the SEP which is authenticated by a session key generated from the devices shared key. It also runs on its own OS [SEPOS] which has a kernel, services drivers and apps. The SEP performs secure services for the rest of the SOC and much more which you can learn about from the Demystifying the Secure Enclave Processor talk at Blackhat

[xerub] published the decryption keys here. To decrypt the firmware you can use img4lib and xerub’s SEP firmware split tool to process. These tools make it a piece of cake for security researchers to comb through the firmware looking for vulnerabilities.