Apple unveiled the iPhone 5s in September 2013, and its signature feature was the fingerprint sensor embedded in the home button. Marketed as Touch ID, the security feature would let users unlock the phone and authenticate App Store payments. The introduction of Touch ID paved the way for Apple Pay, a mobile payment system designed by Apple that uses one’s fingerprint to verify each payment. Touch ID was later opened to developers to integrate it into their apps.
Touch ID also brought a new security feature inside the iPhone, the Secure Enclave that makes possible authentication via fingerprint scans. Each iOS device that has a Touch ID sensor must also have a Secure Enclave, which happens to be the most secure component of the handset. However, a hacker managed to obtain the full decryption key for the iPhone 5s’s Secure Enclave. That said, there’s no reason to panic for the moment.
The Secure Enclave resides inside the iPhone’s processor, the A7 for the iPhone 5s. It uses its own software that’s not tied to the main operating system of the handset. The component will process Touch ID data and produce a corresponding result. That’s why this particular area of the phone is heavily protected by encryption.
First seen by Redmond Pie, this tweet from security researcher @xerub confirms that the “fully grown” decryption key of the iPhone 5s’s Secure Enclave has been cracked:
— ~ (@xerub) August 16, 2017
Security researcher Will Strafach quickly posted an update for the “hack,” explaining that just the enclave had not been hacked in the traditional sense. The decryption keys will, however, let researchers and hackers study Apple’s firmware for the Secure Enclave.
That doesn’t mean your iPhone 5s is less secure. But this even opens the door to anyone experienced enough to dig through the firmware.
it’s also worth noting the “hack” only applies to the iPhone 5s.
Even if malicious hackers find security holes to exploit in the software that governs it, they’ll probably need physical access to your iPhone 5s to update the Secure Enclave’s software and then abuse it.