Apple updated the Secure Enclave component in its A12, A13, S4, and S5 chips in fall 2020 to a second-generation version. Earlier products launched with these chips had a 1st-generation Secure Storage Component.
Apple updated Secure Enclave with 2nd-generation Secure Storage Component in A12 and A13 chips in fall 2020
Secure Enclave is part of Apple’s ARM-based chips for iPhone, iPad, and Apple Watch, and contains biometric authentication data for Touch ID and Face ID.
Apple had not announced this change back then, however, it updated its Secure Enclave technical support page on its website with the following note, as spotted by Andrew Pantyukhin on Twitter.
Note: A12, A13, S4, and S5 products first released in Fall 2020 have a 2nd-generation Secure Storage Component; while earlier products based on these SoCs have 1st-generation Secure Storage Component.
Apple had gone into further detail on what was changed in the 2nd-generation Secure Storage Component in its Platform Security Guide.
The 2nd-generation Secure Storage Component adds counter lockboxes. Each counter lockbox stores a 128-bit salt, a 128-bit passcode verifier, an 8-bit counter, and an 8-bit maximum attempt value. Access to the counter lockboxes is through an encrypted and authenticated protocol.
Counter lockboxes hold the entropy needed to unlock passcode-protected user data. To access the user data, the paired Secure Enclave must derive the correct passcode entropy value from the user’s passcode and the Secure Enclave’s UID. The user’s passcode can’t be learned using unlock attempts sent from a source other than the paired Secure Enclave. If the passcode attempt limit is exceeded (for example, 10 attempts on iPhone), the passcode-protected data is erased completely by the Secure Storage Component.
As MacRumors noted, it seems that Apple strengthened the security of the devices by adding a countermeasure, which could potentially help against physical hacking devices like GrayKey, which brute force into iPhones by guessing the passcode, while bypassing limits on incorrect passcode attempts.
