3

I want to store a key in the SecureElement within a non-Jailbroken device.

What happens when a device is Jailbroken? Knowing that the private key can't be extracted, can the key be used to sign or encrypt date when it transitions from non Jailbroken to Jailbroken state?

Is the Secure Element Cleared/Erased? Cryptographically inaccessible?

makerofthings7
  • 50,090
  • 54
  • 250
  • 536

1 Answers1

1

Are you asking about iDevices running Apple iOS? The Secure Enclave is not cleared/erased or inaccessible when a device is jailbroken.

The architecture of the Secure Enclave and its security implications is documented here -- http://mista.nu/research/sep-paper.pdf -- and many assume it has been broken into, but nobody is saying for sure. Here is the full prezo from BlackHat US 2016 -- https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf

There are other components, such as the Kernel Patch Protector (Apple's use of TrustZone), which was thought to reside in the Secure Enclave but it actually on the ARM Elx -- http://technologeeks.com/files/TZ.pdf

Here is an early article on the Secure Enclave as we first saw it in the iPhone 5S -- https://blog.fortinet.com/2013/09/16/iphone5s-inside-the-secure-enclave

What we know today is that the apps that connect to the Secure Enclave can be bypassed in many ways, but not in one key way: the TouchID mechanism to access the device through the lock screen -- but only the lock screen. If TouchID is used via an app, then it likely can be bypassed whether the device is jailbroken or not.

Some of the Apple TouchID and Apple Pay security architecture was first discussed here -- http://www.slideshare.net/0xroot/demystifying-apple-pie-touchid

What we know is that the GlobalPlatform AIDs (application identifiers) can be cloned from one device to another by attaching to the passd process (this can also be done on a jailed or jailbroken device), as discussed here -- https://www.blackhat.com/docs/us-15/materials/us-15-Fillmore-Crash-Pay-How-To-Own-And-Clone-Contactless-Payment-Devices.pdf -- https://www.blackhat.com/docs/us-15/materials/us-15-Fillmore-Crash-Pay-How-To-Own-And-Clone-Contactless-Payment-Devices-wp.pdf -- https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20Peter%20Fillmore%20-%20Crash%20and%20Pay_%20Owning%20and%20Cloning%20NFC%20Payment%20cards.pdf

We also know that the keychain can be dumped in numerous ways for both jailed and jailbroken devices as seen here -- https://github.com/juuso/keychaindump -- and here -- https://github.com/n0fate/chainbreaker -- but also iCloud and other authorization tokens -- https://github.com/manwhoami/MMeTokenDecrypt

Most-everything can be extracted regardless of the Secure Enclave and regardless of the device being jailed or jailbroken.

atdre
  • 18,885
  • 6
  • 58
  • 107