Trusted Execution Environments (TEEs) are a very important security infrastructure that offer excellent protection against software-based attacks by isolating sensitive code and data from potentially compromised systems, but remain vulnerable to physical attacks. This weakness plays out very differently depending on whether you're dealing with cloud-based TEEs or consumer device TEEs, with consumer TEEs much more resilient against physical attacks.
The Core Vulnerability
TEEs are secure areas within processors that protect sensitive data and code from the rest of the system. Think of them as a vault inside your CPU—even if malware takes over your operating system, it can't see what is happening inside the TEE.
TEE technology has been around for two decades and today, TEEs protect everything from mobile payments and biometric data to cloud computing involving sensitive financial and healthcare information. Learn more about TEEs here.
The physical attack weakness works like this: when a TEE communicates with external memory or other components, that data travels over physical connections on the device. If someone can physically monitor these communications—by attaching probes to the chip or board—they can potentially extract encryption keys or other secrets as they are running through the chip.
This is fundamentally different from software attacks which can be launched from anywhere in the world to try to exploit a system remotely. In the case of TEEs, the attack surface area requires a physical exploitation on the actual hardware. This distinction matters enormously for threat modeling and architecting secure networks.
Cloud-Based TEEs: Trusting the Provider
A cloud TEE is a trusted execution environment that runs on cloud provider hardware, controlled/operated by AWS, GCP, Azure, etc. For cloud-based TEEs like AWS Nitro Enclaves—which power many consumer wallets including Coinbase and Privy—executing a physical attack means cutting traces on a circuit board and hooking it up to electronic measuring equipment.
To mitigate against this, many cloud providers maintain physical security of their facilities with strict access controls and security precautions to prevent anyone, including rogue employees, from compromising their hardware.
The real difference in cloud providers occurs in how they approach the hardware. Rather than using special CPU encryption features, AWS Nitro Enclaves use isolated hardware in their TEEs to create isolated virtual machines with no persistent storage, no SSH access, and no external networking. These dedicated CPUs only have a local communication channel to the parent instance, isolating it from any potentially compromised memory, caching, firmware, or other software-based attack vectors.
Other hardware TEEs such as the Intel SGX, which has been used by some enterprise clients including Azure and Coinbase, run their secure enclave on the same CPU making it vulnerable to software-based attack vectors. Since 2018 Intel SGX has faced a steady stream of successful attacks, each exploiting different aspects of the execution and hardware design.
Trusting cloud-based TEEs requires trusting the cloud providers themselves and understanding the architecture they use to maintain security. Software-based vulnerabilities still exist with TEEs that are not properly architected, leading to potential vulnerabilities in the end applications using these TEEs.
Consumer Device TEEs: A Superior Approach
At Keypo, we rely exclusively on consumer device TEEs. These are the highly secure enclaves found in devices you already own, like your iPhone or MacBook. We focus on Apple devices, which have the strongest and most secure architecture of consumer TEEs on the market (and superior to many cloud-based TEEs as well).
Architecture: Separate Chip vs. Integrated Design
Apple's Secure Enclave is a dedicated coprocessor—a physically isolated processor running its own operating system called sepOS. This isn't just a protected region of memory; it's an entirely independent computing unit with its own boot ROM, cryptographic accelerators, and secure storage.
Take a look at an iPhone’s motherboard. I’ve circled the CPU:
That small black package is the System-on-Chip (SoC), and inside it are nanometer-scale transistors—the tiny, intricate structures that make modern chips scientific marvels.
The Secure Enclave lives within this package, with its communications to the main processor happening inside the chip rather than over external circuit board traces.
Memory encryption adds another layer. The Secure Enclave encrypts its dedicated memory region with an ephemeral key that changes on every boot—meaning even if you could somehow read that memory, you'd get meaningless encrypted data. Anti-replay counters prevent attackers from rolling back to earlier states.
The Physical Reality
To execute a physical attack on a consumer device TEE, an attacker would need to:
- Cut connections between nanometer-scale components without destroying the chip's ability to function—we're talking about structures smaller than a virus
- Use advanced techniques like focused ion beam (FIB) microscopy to probe internal signals—equipment that costs hundreds of thousands of dollars and requires specialized expertise
- Overcome active countermeasures like Apple's encrypted memory bus and hardware-fused unique device keys that can't be extracted even with physical access
There hasn't been a known successful attack extracting keys from Apple's Secure Enclave on Apple Silicon devices (M1/M2/M3 Macs, A12+ iPhones). The most significant disclosed vulnerability—found by the Pangu Team in 2022—affected only older A7-A11 chips, required physical access, and was extremely difficult to exploit in practice. And critically, these attacks typically require destroying the device in the process, making them impractical for most threat scenarios.
Keypo uses the TEE in your device to secure your information, so even if your device is stolen the attacker would be unable to extract your private data. This approach eliminates a significant physical attack vector.
How Keypo Uses This Technology
At Keypo, we leverage Apple's Secure Enclaves to protect shares of your seed phrase and ensure that only you can access them. The cryptographic keys that protect your wallet never leave the Secure Enclave—they're generated there, used there, and can never be extracted, even by us.
We combine this hardware-level security with biometric authentication like FaceID and TouchID. This creates multiple layers of protection: an attacker would need both physical access to your specific device and a way to bypass biometric authentication and a way to extract keys from the Secure Enclave—a combination that's practically impossible with current technology.
If you're still writing your seed phrases on paper—vulnerable to fire, flood, theft, and simple loss—it's time for an upgrade. Try Keypo and experience the difference that consumer device TEEs can make for your crypto security.
The Bottom Line
Not all TEEs are created equal. Cloud-based TEEs offer meaningful protection and work well for many use cases, but they require trusting the cloud provider and are vulnerable to physical attacks at the circuit board level. Consumer device TEEs—particularly Apple's Secure Enclave on modern chips—provide a significantly higher bar for physical attacks because the security-critical communications happen inside an integrated chip rather than over external traces.
For protecting your most valuable digital assets, this architectural difference matters. Your iPhone's Secure Enclave has survived years of scrutiny from the world's best security researchers. That's a track record worth considering when you're deciding where to trust your keys.