Documents

Secure Key Extraction by Physical De-Processing of Apple’s A4 Processor

Mar. 10, 2015

1/1
Download
Page 1 from Secure Key Extraction by Physical De-Processing of Apple’s A4 Processor
[edit] (SHNF) Secure key extraction by physical de-processing of Apple?s A4 processor Presenters: and The Apple A4 processor contains an on-board. AES key called the Global ID that is believed to be shared across all current "iDeyices". This GID key is used to un?wrap the keys that the corresponding boot ?rmware code stored in system non?volatile memory. Currently. the only way to examine boot code is to gain execution through an ewloitable software security ?aw. However. Apple is quick to address these ?aws with each new release of ?rmware and hardware. The Intelligence Community is highly dependent on a very small number of security ?aws. many of which are public. which Apple eventually patches. This presentation will discuss a method to physically extract the STD key. If successful. it would enable and analysis of the boot ?rmware for vulnerabilities. and development of associated exploits across the entire A4?based product?line. which includes the iPhonetE 4. the iPod touchtE and the iPath. Apple relies on commercial and proprietary relationships with major integrated circuit manufacturers to supply the internal hardware for their leading-edge consumer products. Therefore. design and manufacturing information about the A4 is closely held intellectual property Some reverse? engineering reports have concluded that the A4 is manufactured by Samsung Ltd. for exclusive use in Apple products. Their data is compelling. They have shown that the Samsung Cortex A8 pProcessor core layout is used in the A4. If that is true. then it is possible that other Samsung IF. such as its non-volatile memory technology. may be used in this chip. Programmable non-volatile memory offers the most design ?exibility. reliability and security to store proprietary critical product information. such as the GID key. Although. Samsung is a major supplier of ?ash memory chips it also holds IP in the area of CMDS?compatible. eFuse technology. The eFuse memory is thought to offer more immunity to random data upset. and a higher level of anti-tamper resistance. Therefore. this type of memory would be ideal as a secure repository of critical product information on the A4. We will use comparatiye examples of known Samsung product. versus the A4. in order to determine the type and location of WM. In addition. we will discuss the progress made to date to determine where the GID key is located recovered by physical de-processing of the chip.
[edit] (SHNF) Secure key extraction by physical de-processing of Apple?s A4 processor Presenters: and The Apple A4 processor contains an on-board. AES key called the Global ID that is believed to be shared across all current "iDeyices". This GID key is used to un?wrap the keys that the corresponding boot ?rmware code stored in system non?volatile memory. Currently. the only way to examine boot code is to gain execution through an ewloitable software security ?aw. However. Apple is quick to address these ?aws with each new release of ?rmware and hardware. The Intelligence Community is highly dependent on a very small number of security ?aws. many of which are public. which Apple eventually patches. This presentation will discuss a method to physically extract the STD key. If successful. it would enable and analysis of the boot ?rmware for vulnerabilities. and development of associated exploits across the entire A4?based product?line. which includes the iPhonetE 4. the iPod touchtE and the iPath. Apple relies on commercial and proprietary relationships with major integrated circuit manufacturers to supply the internal hardware for their leading-edge consumer products. Therefore. design and manufacturing information about the A4 is closely held intellectual property Some reverse? engineering reports have concluded that the A4 is manufactured by Samsung Ltd. for exclusive use in Apple products. Their data is compelling. They have shown that the Samsung Cortex A8 pProcessor core layout is used in the A4. If that is true. then it is possible that other Samsung IF. such as its non-volatile memory technology. may be used in this chip. Programmable non-volatile memory offers the most design ?exibility. reliability and security to store proprietary critical product information. such as the GID key. Although. Samsung is a major supplier of ?ash memory chips it also holds IP in the area of CMDS?compatible. eFuse technology. The eFuse memory is thought to offer more immunity to random data upset. and a higher level of anti-tamper resistance. Therefore. this type of memory would be ideal as a secure repository of critical product information on the A4. We will use comparatiye examples of known Samsung product. versus the A4. in order to determine the type and location of WM. In addition. we will discuss the progress made to date to determine where the GID key is located recovered by physical de-processing of the chip.