Apple made security changes to select chips in the fall of 2020

Mid-production design changes aren’t common for most companies, but especially not Apple. But it looks like the company made some important changes late last year for a select number of chips.

That’s according to a support page that Apple published recently. It was discovered by Twitter user Andrew Pantyuhkin (via MacRumors). The support page says that A-series processors the A12, A13, and the S-series processors S4 and S5 all received a security change, specifically to the hardware design, regarding the Secure Storage Component.

According to Apple, these newly-designed processors are the same for the most part, but they feature “second-generation Secure Storage Component”, while earlier products have a first-generation design.

From the support document:

Note: A12, A13, S4, and S5 products first released in Fall 2020 have a 2nd-generation Secure Storage Component; while earlier products based on these SoCs have 1st-generation Secure Storage Component.

Apple’s Secure Enclave is a coprocessor is used for security-focused features within Apple’s devices, including authentication for Touch ID and Face ID, as well as data protection. It’s designed to keep that data and information secure, especially if it’s too sensitive for the Application Processor proper. Apple changed the Secure Storage Component, which is within the Secure Enclave.

The report indicates that, at the very least, the 8th-generation iPad, the Apple Watch SE, and the HomePod mini have the different Secure Enclave than other models.

However, the original report notes:

However, there are a number of discrepancies in Apple’s support document. Despite Apple explaining that A13 products “first released in Fall 2020 have a 2nd-generation Secure Storage Component,” there was no device with an A13 chip “first released in Fall 2020.” The last device to be released with an A13 chip was the iPhone SE in February 2020.

To make matters more confusing, the table listing the multiple versions of the Secure Enclave’s storage component in the feature summary omits the S4 chip with a second-generation Secure Storage Component, despite the rubric claiming that such a chip exists. The Apple Watch Series 4 was the only device to contain an S4 chip, and this device was discontinued in September 2019, long before the second-generation Secure Storage Component was implemented in the fall of 2020. It is possible that part of this lack of clarity relates to the fact that the A12 and S4 chips introduced the first-generation Secure Storage Component.

The updated Secure Enclave and Secure Storage Component is already available in the iPhone 12 series, the Apple Watch Series 6, the new iPad Air. So the A14 and S6 processors are covered.

The 2nd-generation Secure Storage Component adds counter lockboxes. Each counter lockbox stores a 128-bit salt, a 128-bit passcode verifier, an 8-bit counter, and an 8-bit maximum attempt value. Access to the counter lockboxes is through an encrypted and authenticated protocol.

Counter lockboxes hold the entropy needed to unlock passcode-protected user data. To access the user data, the paired Secure Enclave must derive the correct passcode entropy value from the user’s passcode and the Secure Enclave’s UID. The user’s passcode can’t be learned using unlock attempts sent from a source other than the paired Secure Enclave. If the passcode attempt limit is exceeded (for example, 10 attempts on iPhone), the passcode-protected data is erased completely by the Secure Storage Component.

As noted in the original report, it appears that this change is meant as a countermeasure to password-cracking devices like GrayKey.