Another possibility is a tailored-access type attack further upstream the supply chain. For example, Apple relies on Samsung or TSMC to fab chips. It's possible the chips could be modified before manufacture, or after, to contain a flaw. I've read about such attacks demonstrated in principle already. There was a worry about the Chinese government executing such attacks for example.
One of the downsides of the way global manufacturing works today that there's so many stages in which components can be intercepted.
You don't know that the device you bought actually consists of unmodified versions of the components that were part of the original design.
Could the NSA partner with the Korean government and Samsung to put a backdoor into components? I wouldn't rule it out.
It would be considerably cheaper to just replicate the ASIC you want to attack in your own silicon.
The secure enclave isn't so magic it's just a secondary processor that handles cryptography it has it's own memory to store variable such as failed attempts.
Attacking the SOC might be more complex and expensive but eventually it's exactly the same as attacking the NAND or any other integrated circuit.
For all we know the NSA could (and most likely does) develop their own in circuit debuggers for common ASIC/SOC's and just dumps what ever unique values the target SOC stores and takes a crack at it.
This also isn't out of the realm of possibilities for companies that specialize in in-circuit emulation, hardware design, and forensics to create as a turn key solution.
> it's exactly the same as attacking the NAND or any other integrated circuit
Not really. Secure enclaves have added defenses that NAND does not. They don't have an API that lets you read their embedded secrets, for instance. You can't just hook up a debugger.
You'd have to try to get at the state of its transistors with an SEM or something. But additionally some have physical defenses against delayering that will self-destruct their contents in the event of a physical compromise. So while I ultimately agree that a nation-state could potentially craft an attack against a specific design, you're understating the difficulty.
Hence why I said it was more complex and expensive if you are going to quote some one please do so in full.
Additionally NAND doesn't have an "API", NAND mirroring works by desoldering the memory hooking it up to a device and mirroring it to another chip by flagging the mirroring bit.
There are other ways to attack hardware, you do not need to get a SEM(or AFM for that matter).
Devices that probe transistors on a microscopic level exist in the industry (e.g. http://www.tek.com/sites/tek.com/files/media/document/resour...), hence the more complex and expensive part.
Also, you cannot "desolder" the secure enclave and hook it up to a "mirroring" device. That attack requires the NAND to be encapsulated in a desolder-able memory chip that supports reading out state. Not the case with a secure enclave.
The NAND is encapsulated in a desolderable memory chip that supports reading out state. There's an anti-replay counter, but supposedly that's just stored in another external NOR flash chip with the Secure Element having no onboard flash storage at all - the process Apple builds their chips on doesn't support on-chip flash memory even if they wanted it.
Interesting. What's your source? Apple's whitepaper suggests otherwise, to my reading:
"The device’s unique ID (UID) and a device group ID (GID) are AES 256-bit keys fused (UID) or compiled (GID) into the application processor and Secure Enclave during manufacturing."[1]
What this says to me is that while rewritable data storage is indeed kept in regular commodity flash memory chips, it's all encrypted by a unique device-specific key that is somehow burned into the secure enclave. So that one little secret kept inside the enclave would allow it to store everything else off-chip.
That unique device-specific key provides no protection against replay attacks. So in practice, the newer Apple devices don't appear to provide any more protection against an attacker with physical access than the one that the FBI just cracked - they should be able to get everything they were demanding in their warrant without Apple's help on any iPhone.
Maybe I don't understand what you mean by "replay attack" in this context, but the secure enclave does in fact provide protection against brute forcing passcodes. It is detailed in Apple's security whitepaper (see p12). Basically, you have to give the passcode to the secure enclave to get the data decryption key which is derived from the device-specific key contained therein. And the enclave enforces time delays between wrong guesses.
If you can envision a procedure for hacking around this I would love to hear it.
Nanoprobes do not require an SEM to function, the SEM is only used to setup the probes initially.
SEM probing is different SEM probing works because when the circuit is active the electrons emitted from the SEM will pile on the gates to balance out the charge.
Noneporbes hookup wires directly to the components and can measure voltage and capacitance to gain the exact state, this is effectively hooking up an oscilloscope on transistor/logic gate level.
These probes are constantly used in the industry during development and can read anything in the silicon, and it doesn't matter if you store the secrets in NAND or any type of NVRAM or build some unique deterministic array for each chip (which Apple obviously won't do since int will require a unique stencil for each processor which will make a single A7 chip cost as much as a jet).
If you have access to the silicon there is nothing anyone can do, taking out the private key from a FIPS certified hardware token that isn't vulnerably to side channel attacks can cost as little as 10,000 dollars depending on the ASIC in question.
Infact to some extent the secure enclave can make physical attacks easier since you know what to focus on and you do not have to reverse engineer the entire SOC but rather a single component.
Today pretty much anyone can buy a probing station[0] these range from several 1000's of dollars for very basic IC's (such as ones used on cheap smart cards) to 100,000's or millions of dollars for something that can probe say any modern CPU/SOC.
Probing stations are used by chip manufacturers and designers and quite often they are also used in the post production QA process where completed packages will be depackaged and inspected using probes. This isn't "rocket science" there are plenty of people trained to operate such devices and the NSA is more than capable of hiring engineers from the semi-conductor industry and contracting the most advanced probes out there to look into any chip they want.
Heck the NSA could easily afford cryonic probes which allow you to cool down the IC to very low temperatures this isn't only required to fully probe certain IC's that could easily be fried without sufficient cooling but also to execute cryonic attacks in which you cool down specific parts of your IC to a very specific temperature one for example that could allow the IC to read from it's memory but write operations would fail in this case for example it might enable a party to attack the secure enclave which will generate keys but will be unable to store the failed attempts counter in it's own private memory.
We already have self destructing circuits[0], but it requires glass. Not something I'd think Apple would go with. Not to mention just dropping the device the wrong way won't just crack your screen anymore, but destroy your precious data. Not something I'd think the average user would want.
Or is there a different piece of tech that can self destruct when tampered with?
> just replicate the ASIC you want to attack in your own silicon.
That doesn't get you the key stored in the target device.
It's not the same as attacking any other integrated circuit, because this one is rigged to blow away its secrets if you try to get instruments/debugging tools inside its enclosure in a way its designers thought of.
> It's possible the chips could be modified before manufacture, or after, to contain a flaw.
Wouldn't Apple be able to detect such an attack, if they were looking (e.g. decap sample chips, image at high magnification, and compare to the original design files)?
I don't think such an attack would work very well as a tailored access sort of thing. If the backdoored chips got into the supply chain, the general public would be affected. If the NSA wanted to only target certain people, they'd have to have a huge amount of control over Apple's supply chain, which would surely be noticed.
Depends on how you buy it. If the phone is mail ordered, it would be possible to swap with a compromised device during shipping. NSA's Tailored Access Operations group is known to perform this sort of attack [1].
If you want to ensure you get a phone from the standard supply chain, buy it in-person at a store where you can see someone take it off the shelf.
One of the downsides of the way global manufacturing works today that there's so many stages in which components can be intercepted.
You don't know that the device you bought actually consists of unmodified versions of the components that were part of the original design.
Could the NSA partner with the Korean government and Samsung to put a backdoor into components? I wouldn't rule it out.