Advanced searches left 3/3
Search only database of 8 mil and more summaries

Apple T2 Security Chip

Summarized by PlexPage
Last Updated: 02 July 2021

* If you want to update the article please login/register

General | Latest Info

Apples annual October hardware event wrap late last month with announcements of the new MacBook Air and revamped Mac mini. Both computers, like the newest MacBook Pro and last year's iMac Pro, come equipped with Apples Security-focus T2 Chip. The T2 Chip, which acts as co-processor, is the secret to many of Apples ' newest and most advanced features. However, its introduction into more computers and the likelihood that it will become commonplace on every Mac going forward has renewed concerns that Apple is trying to further lock down its devices from third-party repair services. T2 is a guillotine that holding over product owners, iFixit CEO Kyle Wiens told Verge over email. Thats because it is key to locking down Mac products by only allowing select replacement parts into the machine when theyve come from the authorized source process that T2 Chip now checks for during post-repair reboot. It very possible goal is to exert more control over who can perform repairs by limiting access to parts, Wiens say. This could be an attempt to grab more market share from independent repair providers. Or it could be a threat to keep their Authorized network in line. We just dont know. Apple confirmed to Verge that this is the case for repairs involving certain components on newer Macs, like logic board and Touch ID sensor, which is the first time a company has publicly acknowledged new repair requirements for T2-equip Macs. But Apple could not provide a list of repairs that require this or what devices were affected. It also couldnt say whether it began this protocol with iMac Pros introduction last year or if its new policy institute recently. T2 is a custom-design component that perform, among other tasks, processing of Touch ID fingerprint data. It also stores cryptographic keys necessary to securely boot machines it runs on. Apple says Chip is critical to new features, too, such as enabling MacBook Pro to respond to Hey Siri requests without requiring you to press a button. It also prevents its laptop microphones from being remotely operated by hackers when the lid of the device is close. Effectively, T2 Chip is capable of communicating with other components in order to perform some of the most important and sophisticated tasks modern Macs are capable of. But recent revelations about T2 have Apple critics concerned that it could be used to further shut out DIY enthusiasts and third-party repair services. First revealed last month by MacRumors and Motherboard, both of which Get their hands on internal Apple document, T2 Chip could render computer inoperable if, say, logic board is replace, unless the Chip recognizes special piece of diagnostic software has been run. That means if you want to repair certain key parts of your MacBook, iMac, or Mac mini, you would need to go to the official Apple Store or repair shop. That part of the companys authorized Service Provider network.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

What are T2 chips?

T2 is an Apples second-generation Security chip. It combines several hardware controllers into a custom piece of silicon. Such chips have been commonplace in smartphones for some time. However, T2 isnt just there for security purposesit can make a big difference in terms of overall performance, too. So, why is it called Security chip? The main reason is T2 is responsible for Secure boot. It validates the entire boot process, from the second you press power to the moment your macOS desktop is displayed onscreen. In short, it verifies that the bootloader and operating system are signed and approved by Apple, and that only approved drives are used to launch your OS. This prevents unsigned software from running at startup, which might be a problem if you occasionally boot to Linux. However, this is also how the chip protects your system; it prevents third-party from booting unsigned operating system and attempting to access your data. T2 is also responsible for all encryption on drive. Previously, this was handled by CPU. By moving process to custom chip, performance is improved across board, as it gives the CPU more resources. Both MacBook Pro and MacBook Air have Touch ID fingerprint scanners for logging in and approving admin-level requests. The T2 chip houses a Secure Enclave in which your fingerprint data can be safely store. Any verification requestseven those for third-party applicationsare handled entirely by chip. This means that apps never see or have access to fingerprint data, which is how Face and Touch ID are handled on iPhone and iPad. Software first requests verification and the T2 chip checks fingerprint against one store in Secure Enclave. Software is then notified of the result.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

How the jailbreak works

Over the summer, security researchers have figured out way to break T2s and found way to run code inside the security chip during their boot-up routine and alter its normal behavior. Attack requires combining two other exploits that were initially designed for jailbreaking iOS devices, namely Checkm8 and Blackbird. This works because of some shared hardware and software features between T2 chips and iPhones and their underlying hardware. According to a post from Belgian security firm ironPeak, jailbreaking T2 security chip involves connecting to Mac / MacBook via USB-C and running version 0. 11. 0 of Checkra1n jailbreaking software during Mac's boot-up process. Per ironPeak, this works because Apple leaves the debugging interface open in T2 security chip shipping to customers, allowing anyone to enter Device Firmware Update mode without authentication. Using this method, it is possible to create a USB-C cable that can automatically exploit your macOS Device on boot, Ironpeak say. This allows attacker to get root access to the T2 chip and modify and take control of anything running on the targeted Device, even recovering encrypted data.


What are T2 chips?

For Apple users and ZDNet readers that are not aware of what T2 is, this is a special co-Processor that is installed alongside the main Intel CPU on modern Apple desktops and laptops. T2 chips were announced in 2017 and begin shipping with all Apple devices sold in 2018. Their role is to function as separate CPU, also know as co-Processor. By default, they handle audio processing and various low-level I / O functions in order to help lift some load off the main CPU. However, they also serve as Security Chips as Secure Enclave Processors that process sensitive data like cryptographic operations, KeyChain passwords, TouchID authentication, and Device's encrypt storage and Secure boot capabilities. In other words, they have a significant role in every recent Apple desktop Device, where chips underpin most security features.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

Danger to users

The sophisticated T2 Security module embed in MAc computers can be hijacked by combining two existing vulnerabilities that can allow hackers to successfully jailbreak Macs and MacBooks. The Operating System run by T2 Security chip, SepOS, suffers from an exploit first identified on iPhone X, dubbed Checkm8, which can be used to circumvent activation Lock, allowing stolen handsets to be reset and sold illegally. Researchers with Iron Peak have demonstrated how it is possible to combine this flaw, which is also present in T2 chips embed in some MAc devices, with Blackbird Vulnerability, first identified by Pangu researchers. When hit with Checkm8, T2 chip on macOS devices normally exits with a fatal error if it is in Device Firmware Update mode and detects decryption call. Exploiting Blackbird, however, could allow hacker to bypass this check. Apple leave debugging interface open in T2 Security chip shipping to customers, allowing anyone to enter Device Firmware Update mode without authentication, Iron Peak said in a blog post. Using this method, it is possible to create a USB-C cable that can automatically exploit your macOS Device on boot. Once you have access to T2, you have full root access and kernel execution privileges since the kernel is rewritten before execution. The Apples T2 Security chip is a co-Processor that sits alongside the CPU and harbours data and functions pertinent to the Security of the Device, including boot operations, and includes features such as audio processing. The hardware-enabled Security component, which runs bridgeOS, is a custom Arm Processor based on the A10 CPU found on the iPhone 7. Modern Macs run more recent iterations of T2 chip based on A12 architecture, and bridgeOS Firmware, although a huge portion of current devices still use A10 and SepOS. The T2 chip performs a set of predefined tasks in macOS including functioning as hardware Security module for features such as Apple KeyChain or two-factor authentication. Other functions may include accelerating media playback, whitelisting kernel extensions, and cryptographic operations. Flaw currently affects devices shipped with Intel CPUs and may not affect MAc devices that are manufactured with Arm-base processors in the next hardware cycle, although researchers add there was no guarantee Alarmingly, Iron Peak researchers claim the core vulnerability is unpatchable because SepOS / BootROM is Read-Only Memory for Security reasons, and therefore IT cannot be fixed without hardware revisions. Better news is that if users deploy FileVault2 as disk encryption, potential hackers will have access to data store on Device immediately. They can, however, inject keylogger into T2 Firmware since IT manages keyboard access, storing any passwords for retrieval or transmission, in the event of malicious hardware attachment. IT Pro approached Apple for a statement on two vulnerabilities.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

Soli Said:

Intel Macs that use Apple's T2 Security Chip are vulnerable to exploit that could allow hackers to circumvent disk encryption, Firmware passwords and the whole T2 Security verification chain, according to a team of software jailbreakers. Apple's custom-Silicon T2 co-processor is present in newer Macs and handles encrypt storage and Secure boot capabilities, as well as several other Controller features. In blog post, however, Security researcher Niels Hofmans notes that because the chip is based on A10 processor it's vulnerable to the same checkm8 exploit that is used to jailbreak iOS devices. This vulnerability is reportedly able to hijack the boot process of T2's SepOS operating System to gain access to hardware. Normally, T2 Chip exits with a fatal error if it is in Device Firmware Update mode and it detects decryption call, but by using another vulnerability developed by team Pangu, Hofmans claims it is possible for hackers to circumvent this check and gain access to T2 Chip. Once access is gain, hacker has full root access and kernel execution privileges, although they can't directly decrypt files stored using FileVault 2 encryption. However, because T2 Chip manages keyboard access, hackers could inject a keylogger and steal password use for decryption. According to Hofmans, exploit can also bypass remote Device locking function that's used by services like MDM and FindMy. Firmware passwords won't help prevent this either because they require keyboard access, which requires T2 Chip to run first. For security reasons, SepOS is Store in T2 chips read-only memory, but this also prevents exploit from being patched by Apple with software Update. On plus side, however, it also means vulnerability isn't persistent, so it requires hardware insert or other attached component such as malicious USB-C cable to work. Hofmans said he has reached out to Apple about exploit but is still awaiting a response. In the meantime, average users can protect themselves by keeping their machines physically secure and by avoiding plugging into untrusted USB-C cables and devices. Lastly, researchers note that upcoming Apple Silicon Macs use a different boot system, so it's possible that they won't be impacted by vulnerability, although this is still being actively investigate. Another reason why Apple Silicon is a horrible idea. Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure. Getting used to Mac going from one of most secure platforms out there to being ride with horrible, unpatchable bugs and security exploits. It's one thing when you can make an OS wall garden, like with iOS. When you can control software, you don't need to worry about hardware being buggy. But unless we're going to have Mac App Store be the only source for Mac apps, get used to having your computer pwned on a daily basis once Apple Silicon is reality.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

Some limitations

Security researchers are reporting a significant flaw in the Apples T2 Security chip that has a wide-ranging impact on the MacOS Platform, especially the latest MacBook Air and MacBook Pro machines. With the issue located in the Read-Only memory portion of T2, flaw is effectively unpatchable, leaving user data expose. It is possible to gain control over core Operating System. This could facilitate data extraction, allow keylogging software or malware to be installed and any number of other potential uses. The exploit relies on code previously used to jailbreak iPhone X handsets. Mahit Huilgoi has more details at iPhoneHacks: exploit is called check8 and was developed initially for iPhone X. Interestingly, iPhone X is powered by A10 processor, and the T2 chip is also model after A10 processor. Typically, T2 chip throw fatal error whenever it gets a decryption call. However, attackers can circumvent check with the help of blackbird vulnerability. The worst part is that SEPOS / BootROM is Read-Only memory, which means Apple will not be able to patch this without changing hardware. Because of the physical nature of the flaw in the T2 chip-the exploit is in Read-Only memory of chip-this is not a security issue that can be patched by firmware update. Apple will no doubt be re-engineering chips so that Macs rolling out of factories in the near future will have patch hardware. The physical nature of exploit also means that any attacker is going to need physical access to your machine to take control of the T2 chip. That puts Apples mobile Macs at higher risk, especially MacBook Pro, given its target market is more likely to be carrying sensitive information on a personal, enterprise, or governmental basis while travelling. Belgian Security firm IronPeak notes the team effort behind discovery: following post is industry analysis of code and research performed by Twitter. Com / axi0mx, Twitter. Com / h0m3us3r, Twitter. Com / aunali1, Twitter. Com / mcmrarm and Twitter. Com / su_rickmark who pour endless hours of work into this, allowing companies and users to understand their risks concerning this issue. If youve ever wondered how much work goes into researching these issues, Rick Mark has lay out a timeline covering major progress points, starting nearly three years ago oct 27 2017-rickmark created utility to verify the integrity of T1 and prior Macs-oct 5 2020-rickmark publishes blog with more accurate T2 analysis-https: / blog. Rickmark. Me / Checkra1n-and-T2 / impact on individuals is huge. MacOS, as it stands today, has issues. IronPeak sums up the state of the platform as they see it: root of trust on MacOS is inherently break; They can bruteforce your FileVault2 volume password; They can alter your MacOS installation; They can load arbitrary kernel extensions; only possible on physical access. As with all flaws, route to exploit and maintain attack will define just how serious threat user data is expose.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

No surprise

Update at bottom: Another Team with Another cable able to hijack Mac, among other devices. T2 exploit Team who Find way to take over Security chip in modern Macs has demonstrated a way to do so without user intervention using nothing more than modified USB-C cable. The Ad-hoc team, who call themselves Team t8012 after Apples internal name for chip, believe that nation-states may already be using this approach. The team has now provided practical demonstration. The video shows them plugging USB-C cable into Mac, and checkra1n being run. The Target machine go to black screen while connecting computer confirm that it was successfully execute. Note that connecting computer is only verifying success of operation. Attack is performed using nothing more than chip in cable. The second video proves that it succeed by modifying the Apple logo seen during Startup. The T2 exploit Team is also working on demonstrating installation of keylogger. Team t8012s Rick Mark told me that his motivation to participate in T2 research was because he was convinced it was possible and might already be in use. While the need for physical access to Mac means it can only be used for very targeted attacks, he suspects that nation-states are using it, and potentially organize crime too. Mark said there is nothing Apple can do to prevent exploit on existing T2 Macs, but the company could provide a tool to verify the integrity of machine against Checkm8 and flag failure. I suggest that Apple could fix the issue in future chips with some kind of encrypted comms that only enables DFU for devices with right codes, and he confirmed that this would work, but I think that again putting a lot of trust in them to do it right without having any data that It would do so. For example, Mark say, Apple has released six new Mac models since the Checkm8 exploit became public, by which point Apple should have known the T2 chip was vulnerable. One of interesting things to emerge from their research is the way Mac assigns functionality to its USB-C ports. You can read blog post here. Weve reached out to Apple for comment and will update with any response.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

Always a double-edged sword

Building hardware security mechanisms is just always a double-edge sword, says Ang Cui, founder of embedded device security firm Red Balloon. If the attacker is able to own a secure hardware mechanism, defenders usually lose more than they would have if they had built no hardware. It is smart design in theory, but in the real world it usually backfire. In this case, there likely have to be a very high-value target to register any real alarm. But hardware-base security measures do create a single point of failure that most important data and systems rely on. Even if Checkra1n jailbreak doesnt provide unlimited access for attackers, it gives them more than anyone would want.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

The technical stuff

Apples has been using the T2 security chip, which secures everything from store data encryption, Touch ID and Apples Activation Lock, in Its iPhones for ages. But chip has also been instrumental in jailbreaking iPhones, thanks to a vulnerability called Checkm8, developed by a group known as Checkra1n. And now, that same group has released the same exploit for the Apples Mac range, which recently saw the introduction of the T2 chip beyond just iMac. Jailbreak could be used for fairly innocent purposes to scrutinise Apples T2 chip, for example, or to run Doom on Mac Pros touchbar. It could also be used to disable Apple security features, or to access companies ' FileVault encryption keys, by more malicious actors.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

How is the device attacked?

After it was reported last week that Apple's T2 Security Chip could be vulnerable to jailbreaking, team behind the exploit have released an extensive report and demonstration. Apple's custom-silicon T2 co-processor is present in newer Macs and handles encrypt storage and secure boot capabilities, as well as several other controller features. It appears that since the chip is based on Apple A10 processor, it is vulnerable to the same checkm8 exploit that has been used to jailbreak iOS devices. The vulnerability allows for hijacking of T2's boot process to gain access to hardware. Normally, T2 Chip exits with a fatal error if it is in Device Firmware Update mode and it detects decryption call, but by using another vulnerability developed by team Pangu, it is possible for hackers to circumvent this check and gain access to T2 Chip. Once access is gain, hacker has full root access and kernel execution privileges, although they cannot directly decrypt files stored using FileVault 2 encryption. However, because T2 Chip manages keyboard access, hackers could inject a keylogger and steal password use for decryption. It can also bypass remote Activation Lock used by services such as MDM and Find My. Firmware passwords do not prevent this since they too require keyboard access, which requires T2 Chip to run first. An Exploits can be achieved without user interaction and simply requires a modified USB-C cable to be insert. By creating a specialized device about the size of a power charger, attacker can place T2 Chip into DFU mode, run checkra1n exploit, upload key logger, and capture all keys. MacOS can be left unaltered by jailbreak, but all keys can still be logged on Mac laptops. This is because MacBook keyboards are directly connected to T2 and pass through to Macos. A practical demonstration shows checkra1n being run over USB-C from the host Device. Target Mac simply displays black screen while connecting computer confirms that the exploit was successful. These cables function by allowing access to special debug pins within the USB-C port for CPU and other chips that are usually only used by Apple. Apple has not fixed the security flaw and it appears to be unpatchable. For security purposes, T2's SepOS custom operating system is stored directly in Chip's SEPROM, but this also prevents exploit from being patched by Apple via software Update. In the meantime, users can protect themselves from exploit by keeping their Macs physically secure and avoiding insertion of untrusted USB-C cables and devices.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

Sources

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

logo

Plex.page is an Online Knowledge, where all the summaries are written by a machine. We aim to collect all the knowledge the World Wide Web has to offer.

Partners:
Nvidia inception logo

© All rights reserved
2021 made by Algoritmi Vision Inc.

If you believe that any of the summaries on our website lead to misinformation, don't hesitate to contact us. We will immediately review it and remove the summaries if necessary.

If your domain is listed as one of the sources on any summary, you can consider participating in the "Online Knowledge" program, if you want to proceed, please follow these instructions to apply.
However, if you still want us to remove all links leading to your domain from Plex.page and never use your website as a source, please follow these instructions.