A hacker going by the pseudonym xerub has claimed to have leaked the decryption key for Apple's Secure Enclave Processor (SEP) firmware, which could be a massive blow to iOS security. The leak, reportedly confirmed by an anonymous Apple staffer, is key to iOS security.
According to Apple, SEP was incorporated into iOS security in Apple S2, Apple A7, and later A-series processors and provides "all cryptographic operations" for data protection. Apple's SEP is also responsible for verifying Touch ID and fingerprint initiated transactions.
However, with the decryption key that protects the SEP now publicly available, it may just be open season for hackers looking to target Apple products. Essentially, the decryption key allows third-party entities to decrypt and access Touch ID data, as well as other kinds of data processed via SEP. Bleeping Computer reported that the key could also allow hackers as well as surveillance firms to hunt for bugs in iOS devices, which were previously inaccessible to third parties.
"The fact that [the SEP] was hidden behind a key worries me," Xerub told TechRepublic. "Is Apple not confident enough to push SEP decrypted as they did with kernels past iOS 10?"
The hacker said that SEP is basically a "black box" that adds very little to security. He added that his intention behind releasing the SEP decryption key was to boost its security. "Decrypting the firmware itself does not equate to decrypting user data," Xerub added. "I think public scrutiny will add to the security of SEP in the long run. Apple's job is to make [SEP] as secure as possible. It's a continuous process ... there's no actual point at which you can say 'right now it's 100% secure.'"
An anonymous Apple employee told TechRepublic the leak doesn't directly compromise user data. "There are a lot of layers of security involved in the SEP, and access to firmware in no way provides access to data protection class information," the Apple staffer said.
Apple reportedly said that it is not planning to issue a fix yet. The leak comes just a day after news broke that the upcoming iOS 11 will come with a "panic button" or "cop button" feature to disable Touch ID in a hurry.