A hacker has released a full decryption key for Apple's Secure Enclave Processor firmware which is responsible for the security of Touch ID transactions.
Apple's Secure Enclave Processor generates unique IDs for each transaction and its decryption will make millions of users vulnerable.
According to xerub, the hacker who released the Secure Enclave Processor decryption key to the hacker community, it is difficult but possible for hackers to use the decryption firmware to analyse and reverse engineer the SEP's working. However, if they put in additional efforts, hackers may also gain access to passwords and fingerprint data.
New malware attack techniques expose security flaws in Apple Pay
Every UID generated by the Secure Enclave Processor is further encrypted with unique keys so that the same key or unique ID cannot be used to perform more than one transaction. The SEP firmware is located inside a co-processor in Apple's mobile chip and is isolated from the rest of the device so that it cannot be touched even if a hacker gets past an iOS device' defences.
Because of its standalone nature, the Secure Enclave Processor processes every Touch ID transaction, verifies passwords, generates unique IDs and keys and secures its operation. However, its use as a black box by Apple only slows down dedicated hackers but doesn't stop them from getting in.
"The fact that [the SEP] was hidden behind a key worries me. Is Apple not confident enough to push SEP decrypted as they did with kernels past iOS 10?" says xerub, adding that while separating the firmware from the rest of the device helps security, only relying on it for security will only slow down hackers but won't stop them.
Apple Pay users warned against storing multiple fingerprints on iPhones
The decryption key will no doubt be employed by hackers looking to get past the security of Apple's Secure Enclave Processor, but Apple has insisted that their efforts won't compromise any data belonging to iOS device users.
"There are a lot of layers of security involved in the SEP, and access to firmware in no way provides access to data protection class information," said an Apple spokesman. However, an Apple source told Tech Republic that while the firmware would make it easier for hackers to study the structure of the SEP, it could also help them find flaws in the structure and exploit them.
Kevin Bocek, Chief Cyber-Security Strategist for Venafi, believes that the arrival of a decryption key for Apple's Secure Enclave Processor and the attention it has received shows the importance of machine identities that are used to authenticate and encrypt user information. Many businesses are now employing machine identities to secure software, hardware, and cloud service.
Use Apple & Cisco at work? Get ready for cyber security insurance discounts
However, he adds that the decryption key will not endanger the security of iOS device users but will only improve their privacy.
"Researchers will now be able to examine code for flaws. If there are attacks Apple will quickly fix. And it will expose these attacks unlike the current situation where only a few nations with fulltime, sophisticated iPhone-cracking operations might be exploiting a vulnerability with Apple knowing it, and without a fix being made available," he adds.