iOS users are advised to be alert as a hacker who claims to hack Apple's secure enclave(SEP ) firmware has revealed decryption key generation protocol for the Apple secure enclave, which was supposed to be very secure and was responsible for all the touch ID transactions in iOS devices.
A hacker who goes by the handle xerub and claims to hack Apple's secure enclave just released full decryption key.
If this comes out to be a valid hack, then it's a major security threat for iOS devices which uses SEP.
In all of the latest iOS devices, SEP is responsible for providing security to the device, it's completely isolated from the other parts of the device , it has its own Operating system.SEP handles all touch ID transactions in the device, only SEP has the protocol to generate unique ID (UID) for the device which is completely indifferent to other processes in the device.
Now since its firmware code is claimed to be hacked, it's a major security blow to iOS users.
Since the release of iPhone 5S, every iOS device comes with SEP, which is responsible for Touch Id transactions, there is a small co-processor embedded in the processor, that runs completely on its own with its own separate OS, no process is entangled with SEP. SEP generates unique ID(UID) every time system reboots.
Protection of UID is the sole purpose of SEP, with the claims of hacking SEP, all the Touch ID actions, passwords, verifications and security features are vulnerable.
Xerub said "The fact that [the SEP] was hidden behind a key worries me " he added "Is apple not confident enough to push SEP decrypted as they did with kernels past iOS 10 " He added that while SEP is amazing tech the fact is it's a "black box","Obscurity helps security- I am not denying that", he said.
"I think public scrutiny will add to the security of SEP, in the long run, Apple's job is to make [SEP]" as secure as possible, It's a continuous process.There is actually no point at which you can say right now it's 100% secure "Xerub said.
He further added"Decrypting the firmware itself does not equate to decrypting user data", as there are several layers needed to be decrypted, as result, it's not going to have massive impact on the users.
According to the Apple's spokesperson, eho chose to remain unidentified, stated that the release of SEP key doesn't directly compromise data ."There are a lot of layers of security involved in the SEP, and access to firmware in no way provides access to data protection class information"
The Apple source further added that "it's not an easy leap to say it would make getting at customer data possible".
There are no plans to roll out a fix this time from Apple.
from E Hacking News - Latest Hacker News and IT Security News http://ift.tt/2wZBapV
via IFTTT
Tags:
News