Apple's T2 custom secure boot chip is not only insecure, it cannot be fixed without replacing the silicon Apple's T2 security chip is insecure and cannot be fixed, a group of security researchers report. Over the past three years, a handful of hackers have delved into the inner workings of the custom silicon, fitted inside recent Macs, and found that they can use an exploit developed for iPhone jailbreaking, checkm8, in …
Is it really better than nothing, though? If you can drop the machine into DFU mode, you can install a basically undetectable keylogger that can completely compromise the machine.
I'm not aware of an exploit that allows you to do that on a Mac without one.
So T2 controls the ssd which is always encrypted, utilising the T2's aes 256 capabilities. If a user turns filevault off T2 just lets you onto the drive without entering the encryption key. Turning FV just means the user needs to enter their password to decrypt that ssd, giving the impression of instant encryption.
T1 has no aes capabilities & does not encrypt the drive but may contain encryption keys in its secure enclave along with credit card details etc.
T2 is a much more capable and advanced beast.
I'm certainly not. Given and local access to a machine that has a recovery mode, then exploits are inevitable and Apple must be aware of this.
But the main reason for them using such chips is not to prevent hackers from breaking in, but to prevent users from making changes such as installing other OSes or removing some of the many restrictions in IOS that we'll no doubt soon also see in MacOS.
Interesting. Apple prevents users from installing other OSes, eh? Looks at iMac running Ubuntu. Looks at other iMac running Win 7, though admittedly putting Win 7 on it was a struggle, neither Apple nor Microsoft supports anything but Win 10. And admittedly Boot Camp is going to go away in ARM based Macs. It’s not gone yet.
And, of course, there are the various other Macs with Parallels VMs of older versions of macOS, various Windows installs, and various Linux installs, usually some variation on Ubuntu going back to 18.04.
Tell me more about the world you live in. What colour is the sky there?
"Apple prevents users from installing other OSes, eh? "
First, MAC users don't care about other OSes in general, they care about their stuff that is being erased and/or compromised and are helpless to do anything about it.
Second, today Charlie is actually right, but you could argue that this is the inevitable end that Apple has always wanted. You have other OSes running so you can attest that the past wasn't so bleak, but look at recent Catalina issues with "Secure Boot". Are you 100% sure that if you used the most recent MAC hardware and OS that if you install ANYTHING that it won't erase EVERYTHING? Not all are, and now with this "exploit", it's not looking sunnier :-/.
P.S. I don't really consider what this article is reporting as an exploit perse, but simply a consequence of hard coding zero sum security. As out of context as it might sound, there's a logical reason that it takes the communication of 2 people to physically launch a nuke.
That’s Mac, not MAC. Today Charlie is actually wrong. Macs, including brand new Macs running Catalina (and even the Big Sur beta) can and do have non Apple OSes installed. Which ‘issues’ are you talking about? Some numpties have a problem switching from macOS to Windows and back at startup, but that’s not an OS issue, that’s a keyboard issue, a lot of wireless keyboards, especially including Apple’s own Bluetooth keyboards, don’t activate early enough in the boot process to detect that users held the option key down. Wired keyboards, including my ancient Macally, don’t have this problem.
And, yes, I’m 100% sure that it won’t erase EVERYTHING. And that’s why I have backups if, by some incredibly unlikely instance, it does erase EVERYTHING.
The current ‘exploit’ requires physical access. If I have physical access, I can do one hell of a lot of damage, including simply removing the entire computer. For this to be a real problem, someone has to have the right tools, physical access, and time undisturbed.
I mostly agree with you that Apple are not out to prevent other OSs being installed as Apple haters are making out, but the T2 chip was quite a hassle for Linux to work round and was only possible because of the desire of a lot of people. Not much chance of getting anything less common than Linux (e.g. BSD, Heroku) running unless you're prepared to run it off an external drive.
Have you tried installing another OS on an I-Phone? Have you tried using a different browser engine on I-Phone? Have you managed to buy an app for an I-Phone than anywhere other on the Apple App Store? Apparenty this is all for our safety. Sounds like Steve Jobs wasn't a fan of Benjamin Franklin…
Apple's very own version of lockdown is coming to Macs.
Jobs bragged that most of the original OSX was either directly open source or based on free software, and made it a point to draw *nix users in. It took years for them to started locking things down, especially after the new management stepped in. Not saying the man was infallible but he did see the value of open source and software freedom, even if that platform ended up pushing the most closed software/hardware ecosystem in the market.
OS X is built on Darwin which you can freely download the source for, os x is even zero cost to you too and can be freely downloaded from the Mac website.
The os is hardened, why is that a bad thing?
Can run any 64 bit OS X software I choose, I can just tell the os to run it..
"I don't get why people think Apple will use the transition to ARM to lock down macOS. They could have done it at any time"
You are correct, but I think it's likely. In 2006, they didn't want to lock it down. They wrote BootCamp just to prove that. They still allowed running unsigned binaries. I was very happy with them. It's not the same now. They've taken various small steps toward locking down their OS, and they've created another fork which has already seen much more thorough lockdowns. The reason I think ARM might be a good opportunity for them to lock down is that it's easier to say "We have to drop support for multibooting because our chip doesn't support the operating system images currently available" rather than "We decided we didn't want you to run Windows anymore so we're pulling Bootcamp". In the name of security, they've instituted weird and painful restrictions on disk access that don't work which look a lot more like IOS than they look like any other popular OS. They've hidden the settings needed to run software they haven't signed behind obstructive and meaningless error messages. Their repairability scores have been dropping steadily for most of their machines. These are not good signs to me.
It has already been made public that the ARM Macs will have a bootloader that can be unlocked. That might not matter in practice since Apple isn't going to write Windows or Linux drivers for its proprietary GPU, but I suppose someone motivated enough could reverse engineer it. Reverse engineered drivers probably wouldn't perform that well, but people who just wanted to boot Windows or Linux and run non demanding (i.e. no games or CAD) stuff probably could do so.
Though other than bloody mindedness I have no idea why someone bother with the effort to reverse engineer the GPU when they could Windows or Linux in a VM and get much better GPU performance in a fully supported way. Especially as that GPU would be a moving target.
The main reason is to prevent it being fixed by independent repair shops, and charge more than the cost of replacement to he poor sods that need repair, so an easy repair is converted into more stuff in the landfill and new sales for Apple. The side effect, is your data is reasonably secure.
If this was not the case, you should be able to install a new OS on the system, even if you had to validate it online, etc etc.
That's just corporate stupidity not Apples problem.
Reminds me of the Ad Firm back in the 90's where the Creative Director talked management into replacing all the Standard PCs in Accounting and for all the PAs with Macs. All those ladies who were Work Perfect jockeys almost strung me up by my gonads! "What is this mouse thing! I can get any work done!
While Apple cannot fix the flaw in its T2, Mark says it should be possible to restore a compromised device that's still bootable into DFU by attaching it to a trustworthy second device.
What if newer malware versions will be able to spread from compromised devices to uncompromised devices?
/inserts brrr.gif
Since it requires a cable connection and booting to recovery, it's unlikely to spread without assistance; people rarely connect one computer to another one over a USB cable. The exploit is very serious given the likelihood that someone could do this with minutes access and it could remain resident for a long time. I doubt it's hard to use the access granted here to grab the encryption password and install malware on the victim's system to phone home with the data when the computer is connected to the internet. At least we know about this; had it been someone who doesn't work on security testing with a public interest, it would already be deployed at various countries' border scans.
A quick try at the exploit showed that it was possible to boot the machine with a USB stick attached, and insert a nice keylogger and a few other pieces of "useful" software in about 45 seconds. Quick enough for the "evil maid" scenario to be perfectly plausible.
The new ARM Macs will render all the existing Mac hardware and software totally obsolete. Even the fanbois will freak out when they find that they no longer have support for their shiny commodity rubbish. Apple are threatening (internally) to cease support for all pre-2021 products by early 2022. It's a good time to offload your Apple stock!
Louis Rossmann has a video on youtube explaining the perils of having secure boot enabled on an apple PC with the T2 chip. Basically, if the T2 chip's firmware is corrupted, there is no way to update the firmware without deleting your data, and no access to your data without updating the firmware. You definitely want to be religious about backing up your PC. Maybe this security blunder will provide a work around!
https://www.youtube.com/watch?v=6dwqxsDHkKQ
Some real world notes here:
T2 doesn't just "make the Mac secure" - it also prevents any type of external backup service outside of Apple's walled garden.
For example: a normal computer - you can boot up on Linux and capture a full dd image. This has its uses - for example, this image preserves all of the OS and installed software, as well as data, should something happen to the source computer. A disk failure can be remedied by putting in a new disk and slapping the image on. A computer failure can be replaced with an identical model computer and said image (really, it is the bios/motherboard).
With T2 and FDE - you can't do this. The Mac/Linux file system won't work without the T2 present, so virtual images are right out.
You can mount the image with a "recovery key" a la Bitlocker, but you have to do this ahead of time. Yes, the system is set up so that you can literally not access your own image without going through a specific sequence of events: FDE on, generate recovery key, capture image. Yes, out of order doesn't work (!)
@ C1ue:
A disk failure can be remedied by putting in a new disk and slapping the image on.
This assumes that the storage isn't soldered directly to the mainboard, which apple's been doing for a while. the SSD craps itself? Hope you made a backup.
Your cat decides that the mac needs a drink and dumps your beverage into it, trashing the ISL9240 chip in the process. Your data is gone, hope you had a backup complete just before your cat decided to assert their supremacy.
(https://youtu.be/lTpHa70DDX0) - Another Rossmann rant demonstrating precisely what I'm talking about.
“ T2 doesn't just "make the Mac secure" - it also prevents any type of external backup service outside of Apple's walled garden.
For example: a normal computer - you can boot up on Linux and capture a full dd image. “
For free I can use apples backup solution to back my data up to an attached disk or Nas, I can use carbon copy cloner, super duper, iCloud google drive etc.
So you want FDE on your boot disk and want to boot that disk on other machines.
Why?
How about take an encrypted backup of you data for restore on another machine?
macOS stores it’s system volumes in a sealed apfs volume, there is no need to back that up, just install a fresh version. You’ll want to keep a copy of the data volumes as that contains user data.
You can configure, in the gui, the Mac to boot off any external volume you want even unix or windows, effectively instructing T2 to not enforce secure boot.
If you leave things as default, enable FDE & secure boot on, then you’ll need that Mac with its T2 to read its internal storage.
I’m not seeing the problem here as that’s totally desirable, with the option to reduce the security if required.
With the sealed system volume, malware would need to run on T2 & could discover the users encryption key for later unencryption of the data volume on that machine with its T2 chip, so needs 2 visits to that machine to get its data.
If you could copy the encrypted volume as you suggest it’d be possible to unencrypt the data offsite once the key was known making detection of something murky going on harder.
The T2 exploit still makes it hard to get at the user data on its encrypted volumes.
are other solutions more resilient in this aspect?
Is bitlocker more secure?
The point of a real backup is that you preserve the entire environment, not just data. A full disk image does that.
Secondly, a full external image is completely undetectable in-system whereas an attacker can poison your system backup if they’re in.
What’s the point of backing up the system volume if it’s exactly the same as what is installed on every machine?
The data volume contains all system customisations as well as user data.
Do you back up chrome or some other app up that is readily downloadable or would it be easier to just backup its customised data?
Some info on the Mac system volume and where it is going.
https://eclecticlight.co/2020/09/14/will-big-sur-support-the-cloning-of-system-volumes/
You would think that one of the richest corporations in the world would be able to buy star programmers who can develop software without use-after-free vulnerabilities, especially if these are present in ROM which cannot be altered!
Apple should demand all their security software be written in Rust, which doesn't allow for these mistakes.
Yep, a prime example where Rust would have caught the mistake. And yes, very embarassing to have a use-after-free vulnerability in this kind of code! Haven't they heard of valgrind?
It's interesting to see who is beginning to talk about Rust in these terms. Microsoft, Linus, even Google a little bit in Fuschia. Apple are probably going to have to follow suit at some point. Security gates that have been Rusted shut are going to become the thing to have.
The language might help but what would work even better would be to avoid using dynamic memory allocation for citical software components. Unfortuantely a lot of languages not only need demand pools but also hide the mechanics of references from the programmer. This may work out OK for applications level programming but in a systems environment this is a potential disaster.
Languanges like Rust try to shield programmers from the consequences of sloppy coding. There is a place for this capability but its better to understand what you're doing and be very disciplined about how you do it. (....and Rust is written in?).
BTW -- The idea of making languages error free have been around for quite a long time. ADA was one of the first; its quite an effective tool but for some reason (bulk?) isn't used by companies like Apple and Microsoft.
You always need dynamic memory allocation in any language because in many situations you don't know how much memory you need until runtime.
Rust is the best possible solution to a long standing problem which wasn't solved by any other language, including ADA.
And just saying that you need to be smarter is nonsense. People have been saying that for decades, and look where it has brought us. A world full of insecure software which is buggy and flaky. We need a language like Rust which elliminates these kind of mistakes.
Can you be sure your bounds stay enforced, even if the memory moves outside your scope, to code outside your control? Can you be sure your inputs are actually sanitized and can't still be exploited? What about multi-threading and race conditions?
The amount of control you actually have is small and shrinking, and things can happen outside your control, including fault cascades.
There are highly-transportable USB bridge devices available at your local big box. On one end is a USB-C plug, on the other is a USB-A plug that can fold down and turn the "tongue" into a USB Micro plug for OTG operation. The stick itself can take SD, SD Micro, and even has a USB-A 3.0 port for separate sticks. Bring one of those along (they're not much bigger than your average USB stick) and you're pretty well covered.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
