Trusted Execution Environments (TEEs) have become a cornerstone of modern cryptographic security infrastructure, powering everything from Apple Pay to confidential cloud computing. But recent reports have exposed critical vulnerabilities that every developer and security professional needs to understand. Let's break down what TEEs are, how they work in practice, and why physical side-channel attacks remain their Achilles' heel.
What Are TEEs and How Do They Work?
At their core, TEEs (sometimes referred to as Secure Enclaves) are specialized hardware components that function as verifiable black boxes. You can pass sensitive data into a TEE with the assurance that only the TEE can access it. The TEE processes that data and returns results along with cryptographic proof (usually referred to as an attestation) that it performed the intended operations correctly.
Think of a TEE as a secure vault built directly into your CPU. Even if someone compromises your operating system, gains administrator access, or even physically accesses your device's memory, they still can't peek inside the TEE. The encryption keys that protect your data never leave the processor package itself—they exist only inside the CPU die and are destroyed when the system resets.
This architecture has enabled breakthrough applications that simply weren't possible before. When Apple launched Face ID in 2017, your facial biometric data never touches iOS, never syncs to iCloud, and never leaves the TEE. Apple literally cannot access this data even if they wanted to, a fact that became politically significant during the 2016 San Bernardino case when the FBI demanded Apple unlock an iPhone. For devices with a Secure Enclave, Apple's response was essentially: "We can't, because the cryptographic keys physically don't exist outside the hardware, and even we can't extract them."
Mobile payments work the same way. When you use Apple Pay or Google Pay, your actual card number is stored in a TEE, and each transaction generates a one-time security code. The payment terminal never sees your real card details—making mobile payments significantly more secure than physical credit cards that literally print the account number on their face.
The Limitation: Pure TEEs Can't Connect to the Internet
This sounds perfect in theory, but there's a catch: for TEEs to maintain their security guarantees, they must remain isolated, which means it can't be connected to the internet. This fundamental limitation means that most real-world implementations use TEEs as a piece of a larger system, and how these systems are designed is where vulnerabilities start to rise to the surface.
The Reality: Confidential Virtual Machines (CVMs)
What most products actually deploy are Confidential Virtual Machines, or CVMs. These are server racks that contain TEEs connected to non-TEE hardware, combining hardware-level security with software protections and cloud vendor guarantees to bridge the connectivity gap.
The most widely deployed example is AWS Nitro Enclaves. In this architecture, the TEE is bound to a specific EC2 instance—essentially a general-purpose server running your application. The Nitro Enclave has no persistent storage, no interactive access, and no external networking. Even root administrators cannot SSH into the enclave or access its memory. AWS provides the guarantee that the TEE will only communicate with the instance you specify.
Many trusted crypto wallets, including Coinbase, Privy, and Dynamic, rely on this infrastructure. If you're interested in digging in deeper, we recommend reviewing this AWS blog post on how wallet applications are built on their infrastructure.
Major cloud providers have built entire confidential computing offerings around CVMs:
- Microsoft Azure offers confidential VMs using Intel and AMD TEEs, with "Always Encrypted with Secure Enclaves" protecting SQL Server queries
- Google Cloud provides Confidential VMs and Confidential Space for multi-party machine learning where competing companies can collaborate on AI models without exposing their proprietary training data
- Healthcare organizations use TEEs to process patient data for AI algorithm development—the data remains encrypted even during computation, satisfying HIPAA requirements while enabling research
The Persistent Threat: Physical Side-Channel Attacks
There's one attack vector for TEEs that has been demonstrated successfully time and time again: physical side-channel attacks.
Here's the simplified explanation: TEEs might isolate your data from software attackers, but they still share physical hardware resources with untrusted code. Modern processors use caches, branch predictors, and execution units that multiple programs access simultaneously. While the data TEEs are sharing with these resources is encrypted, it is possible to deduce decryption keys through timing variations (i.e. how long it takes for operations to execute), power consumption patterns, and electromagnetic emissions.
If an attacker can monitor the communication between the TEE and non-TEE hardware—or observe how the TEE affects shared CPU resources—they may be able to deduce the encryption keys the TEE uses internally to protect your data during processing.
The Vulnerability Timeline: A Persistent Problem
This isn't a theoretical concern. The vulnerabilities have been relentless:
Spectre and Meltdown (2018) exploited speculative execution—a performance optimization where CPUs guess which code to run next—to leak sensitive data from TEE memory via cache timing. Researchers demonstrated attacks extracting passwords and encryption keys from Intel SGX enclaves.
Foreshadow (2018) went further, extracting SGX attestation keys—the cryptographic roots that prove a TEE is genuine and uncompromised. This represented what researchers called "the collapse of the SGX ecosystem" because it compromised the foundation of trust.
Plundervolt (2019) showed that manipulating CPU voltage through software could corrupt TEE computations, recovering AES and RSA keys. Intel's response was to disable voltage control features entirely.
SGAxe and CacheOut (2020) demonstrated new cache eviction techniques to leak attestation keys. ÆPIC Leak (2022) became the first architectural (not just side-channel) vulnerability, exploiting a feature in Intel's Advanced Programmable Interrupt Controller.
Security researchers at sgx.fail bluntly stated that "every SGX-enabled processor Intel has shipped since 2015 has been compromised" by one attack or another.
ARM-based TEEs haven't fared better. Qualcomm's QSEE (Qualcomm Secure Execution Environment), which powers the majority of Android devices, has accumulated seven years of documented vulnerabilities. Researchers found trustlet downgrade attacks affecting Google Nexus, Samsung Galaxy, and Huawei phones—where the same verification key across firmware versions allowed rolling back to vulnerable code.
The Exception: Apple's Architectural Advantage
Interestingly, Apple's Secure Enclave has proven significantly more resilient over the past 5 years. Why? Because it's not just isolated software—it's a completely separate processor core with dedicated memory and no shared microarchitectural resources. There's no cache to time, no branch predictor to manipulate, because the Secure Enclave doesn't share these components with the main processor. Furthermore, since Apple started building their own processors, the secure enclave has moved onto the same die as the CPU, making physical attacks even harder by forcing the attacker to tamper a silicon die instead of a circuit board. The most recent documented vulnerabilities, the 2019 checkm8 exploit and 2020 SEPROM vulnerability, affected apple products that used their old architecture where the TEE was a separate component than the CPU.
Permissioned Systems: TEEs Work Well
If you're deploying TEEs in a controlled environment—enterprise data centers, major cloud providers with physical security, trusted manufacturing facilities—the threat of physical side-channel attacks is manageable. An attacker would need to:
- Gain physical access to the data center
- Compromise the server hardware itself
- Install specialized monitoring equipment
- Have the expertise to analyze side-channel signals
Permissionless Systems: A New Paradigm
An emerging area of exploration involves using TEEs in permissionless or decentralized systems—environments where anyone can participate and physical infrastructure control cannot be guaranteed. TEEs are interesting here because they could potentially provide privacy guarantees by protecting user data like wallet addresses and token balances. But allowing anyone to run a node shifts the threat model dramatically. If network participants can operate nodes on consumer hardware without oversight, they potentially have unlimited physical access to attempt side-channel attacks.
This represents a fundamentally different security challenge. Projects exploring this space are developing additional protective layers: cryptographic verification across multiple independent nodes, requirements that infrastructure be hosted by vetted cloud providers, and economic incentive structures that make individual node compromise unprofitable. The field is still maturing, with active research into how TEEs can be effectively integrated into truly decentralized architectures.
The Bottom Line
TEEs represent one of the most significant advances in hardware security, providing robust protection that has fundamentally transformed what's possible in modern computing. Billions of devices rely on them daily—from Face ID authentication to Apple Pay transactions to confidential cloud computing. These aren't theoretical security improvements; they're battle-tested technologies protecting real sensitive data in production environments.
However, TEEs are not perfect. They are known for being susceptible to physical attacks, so using them securely relies on the larger application having proper safeguards. Be particularly careful of decentralized applications that overly rely on TEEs for securing user assets.
---
Keypo leverages Apple's Secure Enclave to provide hardware-secured protection for cryptocurrency seed phrases and digital credentials. By building on one of the most resilient TEE platforms available, Keypo delivers excellent security that users can hold in their hands. To weaken the possibility of physical attacks, Keypo breaks up your seed phrase into pieces using Shamir Secret Sharing, so compromising one device does not result in leaking your seed phrase.