Apple Platform Security
-
Welcome
-
Introduction
-
-
Services security overview
-
-
Apple Pay overview
-
Apple Pay components
-
Secure Element and NFC controller
-
Payment authorization
-
Transaction-specific dynamic security code
-
Pay with credit and debit cards in stores
-
Pay with credit and debit cards within apps
-
Paying with credit and debit cards on the web
-
Contactless passes
-
Render cards unusable
-
Suspending, removing, and erasing cards
-
Apple Cash
-
Transit cards
-
Credit and debit cards for transit
-
Student ID cards
-
-
Business Chat
-
FaceTime
-
-
-
Developer Kits overview
-
-
HomeKit identity
-
Communication with HomeKit accessories
-
Local data storage
-
Data synchronization between devices and users
-
Home data and apps
-
HomeKit and Siri
-
HomeKit IP cameras
-
HomeKit routers
-
iCloud remote access for HomeKit accessories
-
HomeKit TV Remote accessories
-
Apple TV profiles for HomeKit homes
-
-
CloudKit
-
SiriKit
-
DriverKit
-
Camera and ARKit
-
-
-
Secure device management overview
-
Pairing model
-
Passcode and password settings management
-
Configuration enforcement
-
Mobile device management (MDM)
-
Automated Device Enrollment
-
Apple Configurator 2
-
Device supervision
-
Device restrictions
-
Activation Lock
-
Lost Mode, remote wipe, and remote lock
-
Screen Time
-
-
Glossary
-
Document Revision History
-
Copyright
Peripheral firmware security
Mac computers have many built-in peripheral processors dedicated to tasks such as networking, graphics, power management, or managing data buses like USB or Thunderbolt. Often peripheral firmware is single-purpose, and much less powerful than the Intel CPU. However, built-in peripherals that don’t implement sufficient security become a target for attackers seeking even easier targets to exploit and then persistently infect the operating system. Having infected a peripheral processor firmware, an attacker could target software on the Intel CPU, or directly capture sensitive data (for example, an Ethernet device could see the contents of packets which aren’t encrypted).
Apple strategically works with third-party vendors to reduce (wherever possible) the number of peripheral processors necessary, or to avoid designs that require firmware. But when firmware is required, efforts are taken to ensure an attacker can’t persist on that processor. This can be achieved:
By running the processor in a mode where it downloads verified firmware from the Intel CPU on startup
By ensuring the peripheral processor implements its own secure boot chain where it verifies its own firmware on every boot
Apple works with vendors to audit their implementations, and enhance their designs to include desired properties such as:
Ensuring minimum cryptographic strengths
Strong revocation of known bad firmware
Disabling debug interfaces
Signing the firmware with cryptographic keys that are stored in Apple-controlled Hardware Security Modules (HSMs)
In recent years Apple has worked with some external vendors to adopt the same “Image4” data structures, verification code, and signing infrastructure used by iOS, iPadOS, and Mac computers with the Apple T2 Security Chip.
When neither storage-free operation nor storage plus secure boot is an option, the design mandates that firmware updates be cryptographically signed and verified before the persistent storage can be updated.