According to reports from Asia, security researchers have managed to find flaws in Apple’s central security chip for iOS and iPadOS devices, the Secure Enclave, that cannot be patched by the manufacturer.
The security coprocessor has been installed since the iPhone 5s, and it has been on board the iPad since the fifth generation, the first-generation Air, the iPad mini 2 and the iPad Pro. The technology is also used in Apple TV devices, the HomePod and the T security chips of Macs. However, only devices with the SoCs A7 to A11 Bionic are affected, hardware from 2018 onwards – i.e. e.g. iPad mini 2 and iPad Pro – is affected.B. iPhone XS, XS Max and XR or even current iPad Pros – is not vulnerable.
Sensitive data in the coprocessor
The security chip is used to store sensitive information. These include hashes for biometric data – face for Face ID devices, fingerprint for Touch ID hardware – closure keys, and credit card-related info for Apple Pay. The Secure Enclave is sealed off from the operating system, so attackers usually can’t take it over.
Details of a specific exploit of the Secure Enclave have not yet been leaked – only that they were unpatchable was communicated. Behind the discovery is Team Pangu, known for its jailbreaks. The unpatchability is due to the fact that the code of the Secure Enclave cannot be rewritten – a feature that actually serves security purposes.
Memories of checkm8
What exactly attackers could do with the bugs is also unclear. A complete takeover of the Secure Enclave would be conceivable, as would the hijacking of iPhones and iPads that are actually well secured. Xu Hao from Team Pangu gave first hints about the bugs at a security conference in July. On the Chinese short message service Weibo it is said that the Secure Enclave apparently has a problem with the integrated memory controller, which can be attacked.
This is said to allow access to data that was normally protected. The bug affects the read-only area of the Secure Enclave (ROM), which Apple cannot change. How a concrete exploit could look like remains unclear – so the security expert axmX says on Twitter, browser-based attacks are not possible and also an app-based jailbreak is not possible. Whether this is actually the case, closer details must show. The problem is reminiscent of bootrom bugs in older iPhones and iPads, which are also exploitable up to the A11 chip and "unpatchable jailbreaks" allow. The T-Security processors of Macs are also affected.