Breaking Apple secure enclave

Image for post
Image for post

Tokyo city.

I land at Narita Airport, my client said someone will meet me, but I don’t know where and how he looks like.

Exiting through the arrival terminal a gentleman in white gloves has a sign: KeychainX

I don’t ask questions, jump into the limo and off we go into Tokyo city… One hour into ride we arrive at the entrance to a super skyscraper close to Ikachimachi train station. I am left alone in the lobby and wait.

30 minutes later, three young Japanese men come and greet me with broken English.

Chainx?

Confused I ask if its Taro, he smiles.

I’m taken up to the 35th floor, with a view of the Tokyo Radio tower. My two bedroom apartment is sparsely decorated, but my task is simple.

Image for post
Image for post
The Tokyo Tower seen from my apartment.

They show me a laptop, bow and ask;

  • Please Mr. Keychain, please OPEN.

I knew I only had 48 hours before my flight back to Europe to meet a new client in Barcelona. I bowed and smiled, ‘Of course!’ I replied.

Apparently, a client of theirs had a bitcoin fortune locked up on the laptop with the password lost. It was all in Japanese, and I don’t speak a word of it. Even the contract was in Japanese, they showed me the ownership of the laptop, and the seal was from a well known Tokyo intellectual property law firm. I did some googling, translating and all seemed legit.

We had dinner, some posh sake, and back at the apartment before midnight I got the laptop, and were left alone to start to work.

Jet lagged, I started by changing the booting mode into external, and plug in my own Mac through the thunderbolt port. I booted up the system.

Its possible to boot the Mac in external mode and extracts the code needed to break the password with custom made tools. Luckily the firmware password protection was off. But the disk was encrypted.

My custom script can try to brute force the password with a few hundred tries per second. I also tried to clone the system to an external disk. It would take all night, and I hoped (read prayed) the password was short. Even a 5–6 letter/sign password would be long enough not being able to break in within a few hours or days.

The next morning I woke up and the Mac was dead. Unfortunately the power supply for the Japanese mac was damaged and I needed to get a new. My backup only went half way through (the disk was 1 TB of data) and the other script brute forcing the password did not have any luck. I was back at square one.

Without any knowledge of the Japanese language I went out to a supermarket to get a new power supply early Saturday morning, luckily the shopping mall was open.

My Japanese host arrived by lunch and asked if the system was opened, I turned them down by explaining the power supply was broken so I had to get a new one and start over.

A day later, the password was still not found, I told them I have to fly back without luck so they booked me a hotel room at the Narita airport as my flight was early in the morning the next day. I could not bring the laptop with me. Luckily I had a backup image of the laptop on an external drive.

Pod hotel Narita airport, Tokyo Japan.

A few months passed when I read a new custom way that could break AES encryption using side channel attacks. The laptop hard drive image was encrypted using AES-512. There was a presentation being held in Las Vegas a month later. I thought it was worth a shot. Unfortunately the method was not feasible without the original hardware, only to figure it out after spending two days in Las Vegas and wasting a few grand on the presentation.

I contacted the Japanese client again and convinced them I had a new way to open the Mac, but was not able to travel to Tokyo in the near future. My contact said they will talk with the client and decide on the next step.

Two weeks passed and they decided to send me the mac with UPS. I had to agree to let them look at it first in case of opening the mac through remote viewer like Teamviewer. No this is not a hidden advertisement ;)

The laptop arrived a week later to a drop site in northern Europe (I was with another client) and I was really excited to try the new side channel attack.

No luck.

So I started to play around with the laptop and press random keys just out of boredom when suddenly a new screen appeared, all in Japanese.

パスワードのヒント

After some googling it said Password hint, so I hit show, and it revealed three Japanese characters. Something like this

も と市

It translate into English: mo to ichi

Image for post
Image for post
Las Vegas security conference. 99% 3 letters Agencies recruitment playground. Not limited to US…

I was excited so I contacted the Japanese client and told them about the finding. They told me many Japanese had a word and some kind of number, like their lucky number or their personal information.

I asked for the clients birth date. It was June 5th 1981.

So I tried all combinations of motoichi + number

Two days passed no luck. A week passed, no luck.

So I wrote a custom rule, that added a random character in between all possible combinations of the password and insert it at random position, meaning, all possible characters at position 0,1,2,3,4,5,6… etc

Surprisingly, we got a hit.

Password was 10+. Impossible to brute force by industry standards, denied to be hack able by Apple. But still, both the image copy and the laptop hardware was opened using this password.

I phoned the client and asked to wire an X BTC deposit. They agreed and got the Team Viewer password and off we went…

By NDA we were not able to disclose the final amount, but all information above was audited by the Japanese law firm and ok’eyed.

Lesson learned: There is no such thing as secure enclave, it is still possible to BRUTE FORCE. Thanks Apple ;)

Image for post
Image for post

Computer unlocked, mission accomplished. Off we go to the next target. LA client with a Bitcoin core wallet…

Disclaimer! This article was written by Robert Rhodin, the CEO of Wallet Recovery Service KEYCHAINX LLC, based in California USA. Visit https://keychainx.io or send us an email to keychainx@protonmail.com

Wallet Recovery Service https://keychainx.io

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store