Apple's T2 Security Chip Has an Unfixable Flaw (wired.com) 81
A recently released tool is letting anyone exploit an unusual Mac vulnerability to bypass Apple's trusted T2 security chip and gain deep system access. The flaw is one researchers have also been using for more than a year to jailbreak older models of iPhones. But the fact that the T2 chip is vulnerable in the same way creates a new host of potential threats. Worst of all, while Apple may be able to slow down potential hackers, the flaw is ultimately unfixable in every Mac that has a T2 inside. From a report: In general, the jailbreak community haven't paid as much attention to macOS and OS X as it has iOS, because they don't have the same restrictions and walled gardens that are built into Apple's mobile ecosystem. But the T2 chip, launched in 2017, created some limitations and mysteries. Apple added the chip as a trusted mechanism for securing high-value features like encrypted data storage, Touch ID, and Activation Lock, which works with Apple's "Find My" services. But the T2 also contains a vulnerability, known as Checkm8, that jailbreakers have already been exploiting in Apple's A5 through A11 (2011 to 2017) mobile chipsets. Now Checkra1n, the same group that developed the tool for iOS, has released support for T2 bypass.
On Macs, the jailbreak allows researchers to probe the T2 chip and explore its security features. It can even be used to run Linux on the T2 or play Doom on a MacBook Pro's Touch Bar. The jailbreak could also be weaponized by malicious hackers, though, to disable macOS security features like System Integrity Protection and Secure Boot and install malware. Combined with another T2 vulnerability that was publicly disclosed in July by the Chinese security research and jailbreaking group Pangu Team, the jailbreak could also potentially be used to obtain FileVault encryption keys and to decrypt user data. The vulnerability is unpatchable, because the flaw is in low-level, unchangeable code for hardware. "The T2 is meant to be this little secure black box in Macs -- a computer inside your computer, handling things like Lost Mode enforcement, integrity checking, and other privileged duties," says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. "So the significance is that this chip was supposed to be harder to compromise -- but now it's been done."
On Macs, the jailbreak allows researchers to probe the T2 chip and explore its security features. It can even be used to run Linux on the T2 or play Doom on a MacBook Pro's Touch Bar. The jailbreak could also be weaponized by malicious hackers, though, to disable macOS security features like System Integrity Protection and Secure Boot and install malware. Combined with another T2 vulnerability that was publicly disclosed in July by the Chinese security research and jailbreaking group Pangu Team, the jailbreak could also potentially be used to obtain FileVault encryption keys and to decrypt user data. The vulnerability is unpatchable, because the flaw is in low-level, unchangeable code for hardware. "The T2 is meant to be this little secure black box in Macs -- a computer inside your computer, handling things like Lost Mode enforcement, integrity checking, and other privileged duties," says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. "So the significance is that this chip was supposed to be harder to compromise -- but now it's been done."
what about an hack to use non apple storage cards? (Score:2)
what about an hack to use non apple storage cards? on the T2 systems with apple storage slots?
Re: (Score:2)
Exactly.
THIS IS VERY GOOD NEWS.
You can now run Linux on the T2 Macs, like you could with pre-2018 MacBooks. Without the T2 "integrity" these are no worse than previous Apple generation hardware.
Re: (Score:2)
That is one of the most interesting usage scenarios. While a complex operation, you can upgrade the RAM on a MacBook by changing the BGA RAM chips and moving the RAMCFG resistors to a new configuration, but the on-board SSD is not upgradable since the controller can encrypts the NAND, including some of the vital information. Being able to swap the NAND to larger chips and reinitializing it in the T2 would open up some possibilities.
Sounds vaguely familiar... (Score:5, Insightful)
We've heard this song before, just the orchestra has changed (again).
Now, just think about what it would mean if - instead of a vendor's security chip - we were talking about a flaw in a government-mandated back door into all our encrypted communications [slashdot.org]. Because Apple, Intel, HP, and others will be the ones the government asks to provide that mechanism (we know that because the request has already been made).
Re: (Score:1)
HP? Who cares about them? Otherwise, you're probably on to something here.
Re: (Score:2)
I listed HP because they have also had issues with an exploitable security flaw in a low-level management system. I could also have included Dell and others.
Re: (Score:2)
Honest question: does HP even provide low-level management systems anymore that are proprietary? Or have they fully moved into selling someone else's hardware with a rebrand? I ask because, as I said before . . . who really cares about HP?
Intel and AMD have created their own monstrosities - especially Intel.
Re: (Score:3)
Re: (Score:3)
Actually, on the positive side, Rossmann and others will likely be able to use this feature to help people recover irreplaceable photos and other documents that the 'Geniuses' said were gone forever.
It may also be usable to get various fruity hardware to accept functionally equivalent 3rd party replacement parts that Apple has not blessed with it's holy seal.
Ideally, the security would have been designed with the good of the user in mind such that those things would have been possible anyway and with a fun
Re:Sounds vaguely familiar... (Score:5, Insightful)
It isn't just the U.S. government that would request use of those back doors, so will Russia, China, Iran, etc., the usual cast of hobgobblins on the international stage. Except they won't ask, they'll just use it.
Re: (Score:1)
So just like in 1966, people won't be able to act with impunity. Be careful where you store things that might incriminate you
Re: (Score:2)
Totally avoidable with physical jumpers (Score:2)
Unfixable - hahaha (Score:1, Informative)
There are a few important limitations of the jailbreak, though, that keep this from being a full-blown security crisis. The first is that an attacker would need physical access to target devices in order to exploit them. The tool can only run off of another device over USB. This means hackers can't remotely mass-infect every Mac that has a T2 chip. An attacker could jailbreak a target device and then disappear, but the compromise isn't "persistent"; it ends when the T2 chip is rebooted.
So first and foremost - it requires physical access - that makes it unlikely to be exploited to about 99.999% effectiveness.
There is also no actual indication of why it can't be fixed in firmware - just like the last unfixable thunderbolt exploit they fixed. Even CPUs have firmware updates that can be used to mitigate these sort of 'unfixable' issues - Apple is building custom silicon and you don't think they've thought of how they could fix hardware after distribution for this problem? Really?
Re: (Score:2)
So first and foremost - it requires physical access
A malicious USB device is enough. Social engineering may be enough to get someone to insert a USB dongle.
Re: Unfixable - hahaha (Score:3)
So first and foremost - it requires physical access
A malicious USB device is enough. Social engineering may be enough to get someone to insert a USB dongle
But it isnâ(TM)t persistent, nor can it be used to unlock encrypted files, nor can it be used to install a persistent hack; so, if you are concerned about an evil maid, or coworker, simply reboot when you come back from lunch or whatever, or just shut down before you leave. With an SSD equipped Mac, a Cold Boot only takes about 10 seconds, and MacOS can even Restore everything to the pre-shutdown state.
Not perfect; but it will certainly do.
Re: Unfixable - hahaha (Score:1)
Re: Unfixable - hahaha (Score:1)
Re: (Score:2)
I hope you understand a persistent t2 exploit isn't necessary.
You gain temporary control over (effectively) a hypervisor, you can write anything you want to the file system, RAM, etc. Drop an infection in the system, and boom.
With any luck, they'll use it to flash a component's firmware to persist somehow (faking a usb bus to simulate a usb drive used in the exploit)
You must have missed the 2 salient points:
1. It cannot access encrypted files.
2. It cannot be used to Install a persistent Hack.
So, it really does seem like a fairly unhelpful vulnerability.
Re: (Score:3)
Re: Unfixable - hahaha (Score:2)
True, but the real nightmare scenario is combining a T2 exploit with a network vulnerability to mass-hijack systems or exfiltrate data. Can't do that if every device affected must have a bespoke USB device plugged in after every reboot.
Re: (Score:2)
There are a few important limitations of the jailbreak, though, that keep this from being a full-blown security crisis. The first is that an attacker would need physical access to target devices in order to exploit them. The tool can only run off of another device over USB. This means hackers can't remotely mass-infect every Mac that has a T2 chip. An attacker could jailbreak a target device and then disappear, but the compromise isn't "persistent"; it ends when the T2 chip is rebooted.
So first and foremost - it requires physical access - that makes it unlikely to be exploited to about 99.999% effectiveness.
There is also no actual indication of why it can't be fixed in firmware - just like the last unfixable thunderbolt exploit they fixed. Even CPUs have firmware updates that can be used to mitigate these sort of 'unfixable' issues - Apple is building custom silicon and you don't think they've thought of how they could fix hardware after distribution for this problem? Really?
The article says the flaw is in the immutable ROM. Typically in an implementation like this you'll have a first stage bootloader that is fused into the chip that is supposed to only verify the second stage boot loader is valid. Based on what I read and have inferred (AKA, I may be wrong) it looks like the first stage bootloader is accessing the USB bus for some reason (recovery most likely).
Re: (Score:2)
Based on what I read and have inferred (AKA, I may be wrong) it looks like the first stage bootloader is accessing the USB bus for some reason (recovery most likely).
You can actually install macOS onto USB- and Firewire-connected drives and boot from those instead of the internal drive. My iMac got an unexpected SSD upgrade like this after its internal drive died outside of warranty and I couldn't be bothered getting a pizza cutter and a new adhesive strip for the display glass from MacFixit so as to replace the internal drive "correctly."
Re: (Score:2)
Based on what I read and have inferred (AKA, I may be wrong) it looks like the first stage bootloader is accessing the USB bus for some reason (recovery most likely).
You can actually install macOS onto USB- and Firewire-connected drives and boot from those instead of the internal drive. My iMac got an unexpected SSD upgrade like this after its internal drive died outside of warranty and I couldn't be bothered getting a pizza cutter and a new adhesive strip for the display glass from MacFixit so as to replace the internal drive "correctly."
Yes I am aware of that fact but that should happen long after the immutable bootloader has finished executing. In this case I think the recovery is for the second stage bootloader.
Re: (Score:2)
According to the information out there, the affected firmware in in ROM, not flash, so a fix would mean replacing the actual chip. New devices will get a fix, the old devices will be vulnerable forever.
So? (Score:2)
why? (Score:2)
What is the theory justifying the T2 chip? Why is a second processor supposed to be more secure? Is it only because its executables are hidden in ROM accessible only by that processor, which programs running on the main CPU can not access?
Re:why? (Score:5, Informative)
The theory, I think, beyond making the fingerprint data nearly impossible to copy (because it never reaches the CPU), is that by using a separate processor, you can't use rowhammer attacks against the data, because what you instead see is authorization and encrypted data going in, and decrypted data coming out. Of course, if you can rowhammer or key capture the authorization data, then you have gained nothing.
Unfortunately T2 has brought with it a host of serious problems, such as:
It would be great if Apple realized that this architecture is a mistake and went back to something more sane, with the secure enclave being used exclusively for fingerprint data. After all, the only really useful thing the T2 does is storing the fingerprints for Touch ID in a way that prevents copying. Everything else is just adding unnecessary layers of complexity and creating hard-to-fix bugs, IMO. Unfortunately, knowing Apple's history, they're far more likely to double down on "secure".
Re: why? (Score:1)
Unfortunately T2 has brought with it a host of serious problems, such as:
Inability to run Linux or other operating systems off of internal storage (except in a virtualization environment)
Inability to boot with an external GPU attached unless you have an additional monitor (or emulator) connected to the internal GPU
All that would be true; except that it isn't.
Apple has provided 3 levels of boot-security, from "absolutely nothing but signed Apple OS" down to "It's your funeral". At that level, you can attempt to boot and run any crazy OS you wish.
Re: why? (Score:4, Informative)
Unfortunately T2 has brought with it a host of serious problems, such as:
Inability to run Linux or other operating systems off of internal storage (except in a virtualization environment)
Inability to boot with an external GPU attached unless you have an additional monitor (or emulator) connected to the internal GPU
All that would be true; except that it isn't.
Apple has provided 3 levels of boot-security, from "absolutely nothing but signed Apple OS" down to "It's your funeral". At that level, you can attempt to boot and run any crazy OS you wish.
You can attempt to boot it, but the operating system itself still cannot access the internal disk even with the security at its lowest setting, unless the Linux community has found a solution to this problem very recently.
Re: (Score:1)
You can attempt to boot it, but the operating system itself still cannot access the internal disk even with the security at its lowest setting, unless the Linux community has found a solution to this problem very recently.
In addition to its security features, the T2 functions as a new disk I/O controller. It's true that Apple has not written a Linux storage driver for this new device. Until someone writes such a driver you should still be able to boot from the devices that Linux does support.
Re: (Score:2)
It is because it is DRM. It is a second processor that run's Apple's code to protect _their_ computer against the user.
Flashback (Score:5, Insightful)
Why does this remind me of all the Norton firewall stuff we used to use decades ago. Add layers in security equals only adding layers of possible vulnerabilities.
And then there's the philosophical dilemma of data. Personally i do not want my data encrypted at all. Not that it should be exposed to the nosy. But in case of any hardware failure i be happy to just access my data if possible, thank you. Rather than being dependent on The Cloud(TM) to safekeep what's already mine.
Now, i do understand there's a market. I can also sort-of see the point of hardware to prove authentication. Apart that, go ahead, steal my Android, hope you like our puppies. Please return it after.
I'm all for strong encryption and the right for encryption. But i also observe that Apple's behavior only backfires as a call for more enforcement, like the requests for encryption backdoors by the gov.
So i'm pretty undecided at this point. Somehow i prefer the wild west where deep pockets know the flaws first against regulation where we have no real encryption at all. And right now, mostly the criminals seem to win. Maybe the better path is just not to try to secure phones as fort Knox. Keep that for your data center.
Re: (Score:2)
The problem is the complexity and black box nature of it...
The only thing that should be secret is the user's key, the algorithms and implementation should be open.
If something goes wrong, the user with the key should be able to recover or repair as much as possible.
Re: (Score:2)
Their mistake was adding a load of functionality to what should be a pure security chip. It should offer a minimal set of security features and nothing more.
Instead they made it rival Intel's Management Engine for complexity and we all know how that ended.
Re:Flashback (Score:5, Insightful)
Personally i do not want my data encrypted at all. Not that it should be exposed to the nosy.
It's not just about the data. Phones - especially iPhones - are highly-portable high-value items. In theory, with sufficiently strong security on them you remove the incentive for theft, because whoever gets it can't do anything with it.
But this only works if potential thieves know that any phone they may grab is more likely than not locked down. If it's easy to leave your phone open to the world, lots of people (just like you) will do that. Then everyone has to guard their phones against theft.
Re: (Score:2)
Now, i do understand there's a market. I can also sort-of see the point of hardware to prove authentication. Apart that, go ahead, steal my Android, hope you like our puppies. Please return it after.
Actually, stealing your phone is one of the main reasons for technologies such as this. Before phones were locked down like now, a stolen iPhone could just be connected to a computer, factory erased and used or sold as a fully usable iPhone. Locking down the phones like this reduced thefts significantly [cbsnews.com].
Aside from that, many companies have strict policies to keep their data secure. It's often not just their data, but also customer's data Technologies like this aid in keeping things secure. And while you m
A bit more to the story (Score:3, Informative)
There are a few important limitations of the jailbreak, though, that keep this from being a full-blown security crisis. The first is that an attacker would need physical access to target devices in order to exploit them. The tool can only run off of another device over USB. This means hackers can't remotely mass-infect every Mac that has a T2 chip. An attacker could jailbreak a target device and then disappear, but the compromise isn't "persistent"; it ends when the T2 chip is rebooted
Re: (Score:3)
EVERY company that's serious about security takes a very hard line regarding loss of physical contact. Any big business that sends a team to China for example will be given daily-rotation sim cards, and ALL laptops will be wiped and disposed of when they get back stateside.
Physical access can always win, it's just not worth the risk. The T2 was never intended to deal with state actors. It's just there to make it hard eno
Does Sarah Conor know about this? (Score:3)
A T2 vulnerability would be very important but I don't think the metal morphing terminators had ports on them
Re:A bit more to the story (Score:5, Insightful)
You have to have physical access to a USB port on the box. If you're going to let folks have physical access to your device and plug things into it, then it doesn't seem like you are very concerned about security.
The whole purpose of these security chips is to protect against physical access attacks.
Re: (Score:3, Informative)
As far as being "un-patchable", that's seems to be only semi-true. Apple can't fix the crash-bug for the T2, but they have already locked the crashed(DFU-mode) T2 system from accessing the encrpyt/decrpyt functionality, but it can still sniff the keyboard. Apple could make it even mor
Re:A bit more to the story (Score:4, Interesting)
T2 is Apple's answer to the Evil Maid attack.
Oops.
It's interesting to talk to people who work in State security. Apple has slightly better security, technically, than Android systems, but since it's so popular with shiny people, nearly all of the State-level effort (and/or Cellebrite) goes into iDevice exploits.
Android patching is a complete shitshow, but that makes it such a heterogeneous environment that the RoI is much lower on attacking it.
That is to say, Apple is a big target, and when they screw up, the consequences are more dire because of the promises they've made.
Re: (Score:2)
Re: (Score:1)
well that is why 1099 cleaning staff needs to go (Score:2)
well that is why 1099 cleaning staff needs to go w2 so they can't use very low paid staff that the main cleaning contracting company can just wash there hands of.
Re: (Score:2)
> You have to have physical access to a USB port on the box.
That's okay, Apple will just remove the USB ports on the new Macs ;-)
As system that doesn't trust the users is ... (Score:3, Interesting)
untrustworthy
The point of this "T2" chip, like Intel's TPM, is that the computer manufacturer wants the computer to distrust its owner on behalf of "content creators". And this has the obvious failure mode: if the system has a layer that is more powerful than the putative owner, then that layer owns the system to the detriment of the owner.
Re: (Score:2)
If I understand well this T2 chip is more like the Intel ME chip, running a whole Minix-based OS doing some shady stuff in the background. Still, it highlights RMS'es "Treacherous Computing" notion: the fact that there is an uncontrollable chip on the computer, meaning we (the users) can't have control over it, doesn't prevent third-parties to find a way to get control over it...
Re: (Score:2)
If I understand well this T2 chip is more like the Intel ME chip, running a whole Minix-based OS doing some shady stuff in the background. Still, it highlights RMS'es "Treacherous Computing" notion: the fact that there is an uncontrollable chip on the computer, meaning we (the users) can't have control over it, doesn't prevent third-parties to find a way to get control over it...
I don't know all the details of what the T2 is doing but my understanding is that it is similar to Intel Boot Guard + a hardware TPM.
Re: (Score:2)
Yes the T2 is replaces much of the PCH, but also provides some TPM-like functionality. It was also step one of the ARM transition, and a way to keep security features and devie drivers more consistent across the system lineup.
Re: (Score:3)
untrustworthy
The point of this "T2" chip, like Intel's TPM, is that the computer manufacturer wants the computer to distrust its owner on behalf of "content creators". And this has the obvious failure mode: if the system has a layer that is more powerful than the putative owner, then that layer owns the system to the detriment of the owner.
You're entirely mistaken about the point of the T2 chip or the TPM. The TPM can only provide platform measurements during various stages of the boot process. The T2 chip has a TPM built into it but it is also a hardware root of trust. And honestly if you're trying to run your own custom firmware you're probably doing something wrong or you are a 0.1%er. The best way for an APT to own your computer is to replace the firmware with something they have compromised. They can't do that as easily with a hardw
Note that this requires physical access (Score:2)
and doesn't survive a reboot.
Re: (Score:1)
Yet.
Re: (Score:2)
Re: (Score:2)
Mod parent up +1 insightful! :-)
Re: (Score:1)
Not moderated... Yet ;)
Re: (Score:2)
and when they flash an hacked stage 2 rom / boot loader with an hack that lasts pass reboot?
I follow Mac protocol so no worries. (Score:4, Funny)
Re: (Score:2)
Ah, so you’re on the slow track...
Tim Apple would like a word with you.
Re: (Score:3)
I wonder what Tim Apple would think about the mid-2010 Mac mini on my desktop, or the fact that I upgraded to 16GB, removed the DVD drive for a 2nd HDD and replaced the primary HDD with an SSD.
Because that's what happens when you're being as green as possible: keep using your hardware as long as you can.
I do remember him basically laughing at PC users who hadn't upgraded in the last five years. What's the logic behind this line of thinking, besides the obvious "I want more money, screw the planet"?
Re: (Score:2)
I intend to keep my 13” 2015 MacBook Pro running until it refuses to boot.
Of course, even in 2015 Apple had already started the move. The RAM couldn’t be upgraded, which is why I went with 16GB from the get go. However I did upgrade the SSD From the stock 256GB to a faster 1TB drive (I’m sure allowing that was an egregious oversight). And I bought it from their refurb store... in 2017 - I still think it is the best laptop Apple has ever made.
I guess I’m one of those “sad”
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
You must be rich. What did you do with your old Mac products? :P
Overblown (no big deal) (Score:1)
This is always a bad idea (Score:3)
And this is exactly why everybody already knew long time ago that adding another layer of security as a special security chip inside the computer that can't be modified or updated but has access to everything and can run without the real computer knowing is always a bad idea. This is why people.
Re: (Score:2)
And this is exactly why everybody already knew long time ago that adding another layer of security as a special security chip inside the computer that can't be modified or updated but has access to everything and can run without the real computer knowing is always a bad idea. This is why people.
Layers of security are bad? Are you for real?
Re: (Score:2)
Yes too many layers add complexity and it only takes one bug to compromise the whole system and when it is in hardware it's of major collosal proportions. Implementing complex security through hardware with obfuscated logic that can't be updated is always a very bad idea. Just like this example shows, just a single bug can bypass the whole security and even make it less secure in the first place.
Re: (Score:2)
Yes too many layers add complexity and it only takes one bug to compromise the whole system and when it is in hardware it's of major collosal proportions. Implementing complex security through hardware with obfuscated logic that can't be updated is always a very bad idea. Just like this example shows, just a single bug can bypass the whole security and even make it less secure in the first place.
I think you have taken a reasonable concern about hardware or physical security systems to arguing against a well understood, broadly accepted standard practice, and I think that argument is weak.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Hardware/physical security device - hardest to fix, least flexible. It, like any other layer, can be a single point of failure, and that is not a valid argument against layers of security. You'd have to make a convincing argument that a single layer is generally more secure than mu
Easy fix for "unfixable flaw" (Score:1)
Replace the system with a PC.
The purpose of the article though is this bypasses several security mechanisms to decrypt stuff that users assume are secure from attacks such as encryption keys for information stored on disk. Governments and law enforcement love tools like this because it lets them get access to data on systems they otherwise wouldn't have access to at all.
Sigh. When will people stop doing this? (Score:1)
Evil begets evil. If you don't understand the relevance you're not paying enough attention.
Re: (Score:2)
Evil China again? (Score:2)
Oh, no, security problems come from everywhere/anywhere, it seems.