Skip to main content

You're going to hear a lot of FUD about Apple's Secure Enclave being hacked. It wasn't.

iPhone 5s Touch ID
iPhone 5s Touch ID (Image credit: Apple)

Apple's Secure Enclave locks down user data on iPhone and iPad, including the data for Touch ID. Recently, a hacker known as xerub posted a "decryption key" for the Secure Enclave Processor (SEP) firmware:

See more

That's led to a lot of miscommunication, misunderstanding, and misreporting about what exactly it means in terms of iPhone and iPad security. Here's the deal:

Imagine the Secure Enclave as a vault. Apple hung a big, dark curtain over it to prevent anyone from even seeing the vault. Now, that curtain has been opened and people can see the vault. The vault, however, is still locked as securely as ever. No one has broken into it and no one has even gotten any closer to breaking into it.

Technically speaking, Apple encrypted the SEP firmware to obfuscate it so people couldn't easily poke around inside. That included security researchers, like those participating in Apple's bug bounty program. Now they can.

It was an additional but very superficial layer of protection. While many deride security-through-obscurity, "defensive in depth" — a multi-layered approach — is still a best-practice and making anything even a little bit harder to defeat makes it a little bit harder to defeat.

Philosophy aside, it's my understanding that the encryption key wasn't used to protect any user data or anything beyond obscuring the SEP. And absolutely no user data was or could be exposed through the leaked encryption key.

In other words, it's something to be informed about but not overly concerned with. SEP remains as secure as ever.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

9 Comments
  • Apple PR at work... Good job👍
  • He's been going nuts lately with this kind of stuff. Its almost like Apple has some kind of event coming up...
  • I cannot tell if you’re being glib but let me say that I think Renee does an excellent job with security explanations. I listen to him on Mac Break and the man knows his stuff.
  • You haters are barking up the wrong tree. Mr. Ritchie has been around a long time, has a large number of reliable sources, and is always dead on with his reporting. So crawl back in your Android hole and wait for the next piece of FUD to come around. You are pathetic.
  • Take a nap.
  • Just because you do not understand anything about the topic doesn't mean it's made up. Perhaps do some reading, educate yourself and then you will better understand what is going on.
  • Do you have any proof to dispel Rene’s claim?
  • Wow two anti FUD articles in one day. Does Apple pay you by the article or is there a flat monthly quota you have to reach protecting the mothership to ensure they send you new shiny doodads early and getting photo ops as Tim Cook's lap dog?
  • I had to look up FUD. Article now makes sense.