• Did you order new AirTags? We've opened a dedicated AirTags forum.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
52,495
14,179


Apple made unusual mid-production hardware changes to the A12, A13, and S5 processors in its devices in the fall of 2020 to update the Secure Storage Component, according to Apple Support documents.

a13-bionic-mockup.jpg

According to an Apple Support page, spotted by Twitter user Andrew Pantyukhin, Apple changed the Secure Enclave in a number of products in the fall of 2020:
Note: A12, A13, S4, and S5 products first released in Fall 2020 have a 2nd-generation Secure Storage Component; while earlier products based on these SoCs have 1st-generation Secure Storage Component.
The Secure Enclave is a coprocessor that is used for data protection and authentication with Touch ID and Face ID. The purpose of the Secure Enclave is to handle keys and other information, such as biometrics, that are sensitive enough to not be handled by the Application Processor. This data is stored in a Secure Storage Component inside the Secure Enclave, which is the specific part that Apple changed last year.

The explanation in Apple's support document suggests, at minimum, that the eighth-generation entry-level iPad, Apple Watch SE, and HomePod mini have different Secure Enclaves compared to older devices with the same chip.

However, there are a number of discrepancies in Apple's support document. Despite Apple explaining that A13 products "first released in Fall 2020 have a 2nd-generation Secure Storage Component," there was no device with an A13 chip "first released in Fall 2020." The last device to be released with an A13 chip was the iPhone SE in February 2020.

If the change was, in fact, made to all newly-manufactured devices with these chips, the affected devices would include the iPhone XR, iPhone 11, iPhone SE, and fifth-generation iPad mini, as well as the newly-released eighth-generation iPad, Apple Watch SE, and HomePod mini.

a12-a13-s5-secure-enclave-change.jpg

To make matters more confusing, the table listing the multiple versions of the Secure Enclave's storage component in the feature summary omits the S4 chip with a second-generation Secure Storage Component, despite the rubric claiming that such a chip exists. The Apple Watch Series 4 was the only device to contain an S4 chip, and this device was discontinued in September 2019, long before the second-generation Secure Storage Component was implemented in the fall of 2020. It is possible that part of this lack of clarity relates to the fact that the A12 and S4 chips introduced the first-generation Secure Storage Component.

New devices containing the A14 or S6 chip, such as the iPhone 12, iPhone 12 Pro, fourth-generation iPad Air, and Apple Watch Series 6, also have the updated Secure Enclave.

Although the change took place in the fall of 2020, the support document detailing the alteration was published in February 2021. The full PDF version of Apple's Platform Security Guide reveals the difference between the first and second-generation Secure Storage Component:
The 2nd-generation Secure Storage Component adds counter lockboxes. Each counter lockbox stores a 128-bit salt, a 128-bit passcode verifier, an 8-bit counter, and an 8-bit maximum attempt value. Access to the counter lockboxes is through an encrypted and authenticated protocol.

Counter lockboxes hold the entropy needed to unlock passcode-protected user data. To access the user data, the paired Secure Enclave must derive the correct passcode entropy value from the user's passcode and the Secure Enclave's UID. The user's passcode can't be learned using unlock attempts sent from a source other than the paired Secure Enclave. If the passcode attempt limit is exceeded (for example, 10 attempts on iPhone), the passcode-protected data is erased completely by the Secure Storage Component.

This appears to be a countermeasure against password-cracking devices, such as GrayKey, which attempt to break into iPhones by guessing the passcode an infinite number of times, using exploits that allow for infinite incorrect password attempts.

The change appears to have been significant enough for Apple to justify an entire "second-generation" version of the Secure Enclave's storage. It is certainly unusual for Apple to change a component in its chips mid-way through production, but Apple likely deemed the security upgrade important enough to roll it out to all relevant new devices from the fall onwards, rather than just devices with the latest A14 and S6 chips.

Article Link: Apple Made Sudden Security Changes to its Chips in Fall 2020
 
  • Like
Reactions: RandomDSdevel

PBG4 Dude

macrumors 68040
Jul 6, 2007
3,355
2,865
I wonder if this was in response to a major hardware security breach? Does that mean that devices released before the patch are now vulnerable?
Many of Apple’s earlier devices now have exploited software/hardware weaknesses. Apple’s A series chips over multiple generations were vulnerable to the same hack, so certain systems can be cracked/jail broken no matter what OS is installed due to hardware weaknesses.

For other examples, Intel famously had the FDIV bug which required new hardware to resolve, and caused every OS available at the time to put in FDIV mitigation routines so the affected chips wouldn’t continue to fail.

Later intel, AMD, ARM and Apple A series chips were all vulnerable in some way to speculative execution exploits that used various forms of “bit-bashing” to reveal sensitive data from other threads running on the chip. Every Intel chip over multiple years and releases are vulnerable to Spectre and Meltdown attacks.

 
Comment

topgunn

macrumors 68000
Nov 5, 2004
1,507
1,838
Houston
This does not sound like it is dissimilar from what AMD and Intel deal with with when vulnerabilities are discovered in their processors, like Spectre and Meltdown. You fix as much as you can with software and fix the hardware in future iterations but existing hardware will always be somewhat vulnerable to these exploits.
 
Comment

macsareveryinteresting

macrumors 6502a
Dec 7, 2020
770
485
Colorado Springs
I wonder if this was in response to a major hardware security breach? Does that mean that devices released before the patch are now vulnerable?
No, devices aren't vulnerable but that can remain a mystery because on monthly occasions, we will get a security update. That just really makes me wonder. I'm on both prospectives currently. I think yours is true and mine is true.
 
  • Like
Reactions: amartinez1660
Comment

rp2011

macrumors 68000
Oct 12, 2010
1,950
2,098
Wow this sounds like a hugely expensive measure. Props to Apple and also for being financially able to take such a costly hit to extend security.
 
  • Like
Reactions: EmotionalSnow
Comment

subi257

macrumors 6502a
Sep 13, 2018
581
550
New Jersey
It’s more like $5 per charger, which isn’t insignificant.
That maybe true, but I still think most people don't really need new ones, but I'm sure some do. So, why not leave them out of the package but include a certificate entitling you to a free one, in case you do want it. Devices do get e-recycled at some point....I believe/hope, but I bet most of the other accessories in up in trash.
 
Comment

goobot

macrumors 603
Jun 26, 2009
5,989
3,077
long island NY
Apple has updated the security of their processors mid generation before, the 3GS being one I remember cause I was able to jailbreak mine since it was a day one.
 
Comment

PBG4 Dude

macrumors 68040
Jul 6, 2007
3,355
2,865
That maybe true, but I still think most people don't really need new ones, but I'm sure some do. So, why not leave them out of the package but include a certificate entitling you to a free one, in case you do want it. Devices do get e-recycled at some point....I believe/hope, but I bet most of the other accessories in up in trash.
If you add a certificate for a free charger, you might as well have put a charger in the box and save the paper used to make the certificate. I mean, “Who doesn’t like free?!?” Probably get a >90% uptake “just in case my current charger fails”.
 
  • Disagree
Reactions: nexu
Comment

WoodpeckerBaby

macrumors 65816
Aug 17, 2016
1,157
986
That maybe true, but I still think most people don't really need new ones, but I'm sure some do. So, why not leave them out of the package but include a certificate entitling you to a free one, in case you do want it. Devices do get e-recycled at some point....I believe/hope, but I bet most of the other accessories in up in trash.
I don’t have enough fast chargers at home, neither do my parents. I have some slow ones but they are occupied by lower-end products that never come with chargers. For example, power banks, electric arc lighters, rechargeable laser pointers, eInk Kindles, electric toothbrushes, headphone, etc. They also don’t work with USB-C.
 
  • Like
Reactions: subi257
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.