Hacker @xerub has just released what he claims to be a full decryption key for Apple’s Secure Enclave Processor (SEP) firmware, a key piece of iOS security which handles Touch ID transactions and is completely isolated from the rest of its host device, TechRepublic is reporting. One of the key points of the SEP is its generation of the device’s Unique ID (UID), which is how it secures all Touch ID actions and password verifications.
The SEP firmware decryption key exposes it to vulnerabilities. The hacker has published it on this GitHub repository, saying “the fact that SEP was hidden behind a key worries me,” adding that while SEP is amazing tech the fact that it’s a “black box” adds very little to security.
“Is Apple not confident enough to push SEP decrypted as they did with kernels past iOS 10?”, he said. Expert hackers, he added, won’t be stopped by black boxes, only slowed down.
“I think public scrutiny will add to the security of SEP in the long run,” xerub said, noting that was also his intention with releasing the key. It’s another act in the arms race between tech companies and hackers, who poke and prod software in a way that ultimately can make users safer. “Apple’s job is to make [SEP] as secure as possible,” xerub said. “It’s a continuous process … there’s no actual point at which you can say ‘right now it’s 100% secure.'”
Meanwhile, an Apple spokesperson has stated that the release of the SEP key doesn’t directly compromise customer data:
“There are a lot of layers of security involved in the SEP, and access to firmware in no way provides access to data protection class information.” The Apple source added that it’s “not an easy leap to say it would make getting at customer data possible.” Rather, it makes research into the structure of the SEP possible. It’s there that hackers could find flaws that allow them to continue digging deeper.
The source adds that Apple does not plan to roll out a fix at this time.
