VOGONS

Common searches


Apple's T2: Vulnerable and Unfixable

Topic actions

First post, by 640K!enough

User metadata
Rank Oldbie
Rank
Oldbie

I haven't seen any discussion of this matter here, and thought it might be worth mentioning. I'm always interested in the different viewpoints, and am hoping for a constructive discussion.

The story in question is from October. Apparently, Apple's T2 "security" co-processor is vulnerable to attack. Furthermore, because of the point in the startup process that the attack begins and the design of the T2, it is unfixable, and it doesn't seem there is any possible work-around. The most detailed coverage I have found so far is here.

As a result of this, there are three possible approaches Apple could take to fix this problem:

  1. Create a re-call programme and have a technician de-solder the T2 and replace it with a fixed version.
  2. Same as above, but replace the entire board in affected machines.
  3. Give users of affected machines who have AppleCare or still-valid warranty a fixed replacement machine.

Of course, with Apple being Apple, the response will more likely be this: acknowledge nothing, say nothing, fix nothing, wait for the class-action lawsuit, then settle for a pittance. Then, future machines will suddenly not suffer from this, but there was nothing wrong with it to begin with. In typical Apple style, the attitude will be that those who want a fixed machine can simply buy a new one. This would be the same approach they took with the iPhone 4 antenna disgrace, and other problems. The only difference then was that they brought Jobs out to make a fool of himself, trying to pretend that all phones suffered from the same flaw. I doubt we'll be hearing from Mr. Cook or anyone else officially.

Reply 1 of 28, by Caluser2000

User metadata
Rank l33t
Rank
l33t

Thank you for sharing that. I look forward to Apple Inc and or resident Apple hardware experts responses.

There's a glitch in the matrix.
A founding member of the 286 appreciation society.
Apparently 32-bit is dead and nobody likes P4s.
Of course, as always, I'm open to correction...😉

Reply 3 of 28, by 640K!enough

User metadata
Rank Oldbie
Rank
Oldbie

The researchers did try to contact Apple multiple times, and got no response, according to what was posted. When multiple attempts allegedly failed to generate even the slightest response, the entire exploit and proof-of-concept details were published.

Normally, if a major, previously-unknown flaw is reported, you might expect some sort of response, and maybe even a "bounty" payment.

This is one of my problems with Apple. As they revert back to their ultra-proprietary, not-invented-here ways, there is less transparency, and we have fewer ways to verify their claims. Much like this T2 black box. They say it provides such great features and enhanced security never before available on the platform, but how do we know that? Are we just supposed to take their word for it? Security through obscurity is not the way forward!

So far, it looks like one of the few things the T2 actually does is help prevent the people who paid for the machine from repairing it in the way they may wish. I wonder if this exploit can be used to defeat that functionality as well...

Reply 5 of 28, by 640K!enough

User metadata
Rank Oldbie
Rank
Oldbie
Error 0x7CF wrote on 2020-11-25, 07:12:

* Requires physical access

I see this claim used as a defence every time this is discussed. The simple fact that it requires a person to be in the same room as the machine doesn't reduce the possibility of attack. Yes, it means that I can't compromise your machine from my desk in another country, but that hardly reduces the severity of the problem or the embarrassment for Apple. This is clearly a major design oversight or inexcusable design decision.

For portable, battery-powered machines, the injected code is at least somewhat persistent, until the T2 is reset or the machine completely loses power. How many people frequently run their batteries down to the safety shut-off point? EDIT: I'm not so sure just a full power-down will do it. It may be necessary to reset the T2 using another machine, "Apple Configurator 2" and a cable plugged into the appropriate port.

It's not like an attacker would have to open the case and access specific solder pads to do the job. All it really takes is a "weaponised" cable plugged into the right port before start-up. How many people borrow charging cables at their preferred coffee spot? Are you sure you never plug a borrowed charger/cable in before power-up?

Error 0x7CF wrote on 2020-11-25, 07:12:

* Doesn't work on Apple Silicon (apparently)

Again, the fact that it doesn't work on hardware that isn't widely available outside of Apple doesn't reduce the significance of the discovery. Furthermore, unless Apple wants to give users of affected machines a brand-new, equally-powerful ARM-based machine, it doesn't help the owners of the millions of these that are out in the field. Furthermore, if there are any enterprise customers who used the secure enclave to store keys or other credentials, this could be a really big deal.

Last edited by 640K!enough on 2020-11-25, 09:15. Edited 1 time in total.

Reply 6 of 28, by Dominus

User metadata
Rank DOSBox Moderator
Rank
DOSBox Moderator

First of all, you should always back your claims up with at least a semi reputable source 😀 https://www.wired.com/story/apple-t2-chip-unf … -jailbreak-mac/
Second, you are nonetheless not wrong 😀

A good point is made in the article

"Building in hardware 'security' mechanisms is just always a double-edged sword," says Ang Cui, founder of the embedded device security firm Red Balloon. "If an attacker is able to own the secure hardware mechanism, the defender usually loses more than they would have if they had built no hardware. It's a smart design in theory, but in the real world it usually backfires."

A lesson Apple could have learnt from others previous tries on this. What was the chip called that they wanted in every PC in the beginning of the 2000s or so? TPM? I remember there being a big uproar against that... But i didn't follow that much...

Caluser2000 wrote on 2020-11-25, 06:56:

I look forward to ... resident Apple hardware experts responses.

*sigh* does it always have to be this passive aggressiveness when it comes to apple users?

Windows 3.1x guide for DOSBox
60 seconds guide to DOSBox
DOSBox SVN snapshot for macOS (10.4-11.x ppc/intel 32/64bit) notarized for gatekeeper

Reply 7 of 28, by 640K!enough

User metadata
Rank Oldbie
Rank
Oldbie
DosFreak wrote on 2020-11-25, 07:32:

Thanks; I hadn't read about that yet. I'm not sure how much I like the idea, though. Hopefully MS and partners do a better job of it than Apple did.

Interestingly, MS had something similar in the Xbox since 2013, and I haven't read of any major breaches. They have apparently been making bounty payments for vulnerability reports relating to Azure, however.

Dominus wrote on 2020-11-25, 07:51:

First of all, you should always back your claims up with at least a semi reputable source 😀 https://www.wired.com/story/apple-t2-chip-unf … -jailbreak-mac/

I started with that article, but found it to be lacking. I much preferred the ironPeak article that I linked above, and I figured a cyber-security firm involved in the disclosure was reputable enough.

Dominus wrote on 2020-11-25, 07:51:

A lesson Apple could have learnt from others previous tries on this. What was the chip called that they wanted in every PC in the beginning of the 2000s or so? TPM? I remember there being a big uproar against that... But i didn't follow that much...

I still remember the backlash over the Pentium III processor serial number. At least with the TPM it was just a hardware root of trust; the T2 was also an SSD controller, video encoding/de-coding accelerator, image co-processor, etc., and crucially, had an externally-accessible firmware/control interface via one of the ports on affected machines. At least if it had required access to an internal header or solder pads, an attacker would have to steal or leave with your machine to do the dirty deed; this way it's not too difficult to imagine a clever social engineering scenario that gets a specially-crafted cable plugged into it to deliver the payload.

Reply 8 of 28, by Dominus

User metadata
Rank DOSBox Moderator
Rank
DOSBox Moderator
640K!enough wrote on 2020-11-25, 08:36:
Dominus wrote on 2020-11-25, 07:51:

First of all, you should always back your claims up with at least a semi reputable source 😀 https://www.wired.com/story/apple-t2-chip-unf … -jailbreak-mac/

I started with that article, but found it to be lacking. I much preferred the ironPeak article that I linked above, and I figured a cyber-security firm involved in the disclosure was reputable enough.

I'm sorry, I didn't see that you had actually linked any article. That's my fault for missing that. I really thought that you had not posted any link...

Windows 3.1x guide for DOSBox
60 seconds guide to DOSBox
DOSBox SVN snapshot for macOS (10.4-11.x ppc/intel 32/64bit) notarized for gatekeeper

Reply 9 of 28, by Caluser2000

User metadata
Rank l33t
Rank
l33t
Dominus wrote on 2020-11-25, 07:51:

*sigh* does it always have to be this passive aggressiveness when it comes to apple users?

YOU are imagining things. I REALLY want to know the responses of Apple fans/user for this security issue.

As I would for fans/users of any other hardware platform.

There's a glitch in the matrix.
A founding member of the 286 appreciation society.
Apparently 32-bit is dead and nobody likes P4s.
Of course, as always, I'm open to correction...😉

Reply 10 of 28, by Dominus

User metadata
Rank DOSBox Moderator
Rank
DOSBox Moderator

Ok, then: my reaction is "*sigh* another one"
While I think that some of the things the T2 chip brings on the table is good (as in the op's linked article), I could do without the security hole. But then I don't really care because I don't believe in computer security. Or maybe better worded, I'm disillusioned too much than to believe that anyone can secure their devices. That this vulnerability makes the whole mac less secure than if the chip didn't exist, just adds insult to injury.

Windows 3.1x guide for DOSBox
60 seconds guide to DOSBox
DOSBox SVN snapshot for macOS (10.4-11.x ppc/intel 32/64bit) notarized for gatekeeper

Reply 11 of 28, by Caluser2000

User metadata
Rank l33t
Rank
l33t

🤣. First you don't refer to the POs original link and now you are critiquing a member quite valid post. You are a moderator. Act like one.

Sorry for the rest of you fpr going OT.

There's a glitch in the matrix.
A founding member of the 286 appreciation society.
Apparently 32-bit is dead and nobody likes P4s.
Of course, as always, I'm open to correction...😉

Reply 12 of 28, by Dominus

User metadata
Rank DOSBox Moderator
Rank
DOSBox Moderator

First I apologized to the op for missing the link, and my critique of a missing link was at least meant to be tongue in cheek, playful.

Second, I may be a moderator but that doesn't mean I don't have the right to criticize anyone. I'm a member first with the right to speak my mind and THEN I am a moderator.

Windows 3.1x guide for DOSBox
60 seconds guide to DOSBox
DOSBox SVN snapshot for macOS (10.4-11.x ppc/intel 32/64bit) notarized for gatekeeper

Reply 13 of 28, by 640K!enough

User metadata
Rank Oldbie
Rank
Oldbie

For those who missed it, there is a follow-up article with videos. If you thought:

Error 0x7CF wrote on 2020-11-25, 07:12:

* Requires physical access

in any way mitigates the significance of this, go read/watch, then think again.

Reply 14 of 28, by ShovelKnight

User metadata
Rank Oldbie
Rank
Oldbie
Caluser2000 wrote on 2020-11-25, 09:02:
Dominus wrote on 2020-11-25, 07:51:

*sigh* does it always have to be this passive aggressiveness when it comes to apple users?

YOU are imagining things. I REALLY want to know the responses of Apple fans/user for this security issue.

As I would for fans/users of any other hardware platform.

It concerns me about as much as Intel Management Engine in my Windows laptop. Meaning that I don't let other people touch my computers. But I would do this even if this vulnerability wasn't there simply because it's good hygiene.

Reply 15 of 28, by Caluser2000

User metadata
Rank l33t
Rank
l33t
ShovelKnight wrote on 2020-11-25, 10:05:
Caluser2000 wrote on 2020-11-25, 09:02:
Dominus wrote on 2020-11-25, 07:51:

*sigh* does it always have to be this passive aggressiveness when it comes to apple users?

YOU are imagining things. I REALLY want to know the responses of Apple fans/user for this security issue.

As I would for fans/users of any other hardware platform.

It concerns me about as much as Intel Management Engine in my Windows laptop. Meaning that I don't let other people touch my computers. But I would do this even if this vulnerability wasn't there simply because it's good hygiene.

Indeed it is.

Thank you for the straight up response.

There's a glitch in the matrix.
A founding member of the 286 appreciation society.
Apparently 32-bit is dead and nobody likes P4s.
Of course, as always, I'm open to correction...😉

Reply 16 of 28, by the3dfxdude

User metadata
Rank Member
Rank
Member
Dominus wrote on 2020-11-25, 09:12:

That this vulnerability makes the whole mac less secure than if the chip didn't exist, just adds insult to injury.

My concern with this kind of system design is that it ends up crippling the end user's control instead of improving security.

Reply 17 of 28, by Dominus

User metadata
Rank DOSBox Moderator
Rank
DOSBox Moderator
the3dfxdude wrote on 2020-11-26, 04:42:
Dominus wrote on 2020-11-25, 09:12:

That this vulnerability makes the whole mac less secure than if the chip didn't exist, just adds insult to injury.

My concern with this kind of system design is that it ends up crippling the end user's control instead of improving security.

Yes, definitely a big concern ever since the TPM chip ;(

Windows 3.1x guide for DOSBox
60 seconds guide to DOSBox
DOSBox SVN snapshot for macOS (10.4-11.x ppc/intel 32/64bit) notarized for gatekeeper

Reply 18 of 28, by DosFreak

User metadata
Rank l33t++
Rank
l33t++

Fans and users don't care about security. I.T only cares if they have to since they are overloaded with tickets from lazy users and tier 1 not knowing or caring how to fill out and route tickets correctly. The amount of Apple users on this forum is extremely low so doubt you'll see much of a discussion except if it becomes yet another apple vs thread.

How To Ask Questions The Smart Way
Make your games work offline

Reply 19 of 28, by ragefury32

User metadata
Rank Oldbie
Rank
Oldbie
Caluser2000 wrote on 2020-11-25, 06:56:

Thank you for sharing that. I look forward to Apple Inc and or resident Apple hardware experts responses.

Eh, just because I am typing this on a 2015 MacBook Air 11 and have a rack full of their machines (there is a 2020 MBP16 and a 2020 MBP13 less than 3 meters away from me) doesn't mean I condone Apple's less-than-stellar security posture - it means that I have job security dealing with their BS...which I don't savor. IT does care if Apple screws the pooch. Who do you think has the unenviable job of enforcing the CISO's security postures as they present it to the customers? Now we'll have to buy keylocks and audit device insertion/removal logs?!

The T2 is known to do some really strange things - Ever since I witness a T2 on a Mac crap the bed and lose the ability to decrypt the APFS volume right before a major trade conference I had been less than complementary towards it. When you are asked to put all eggs in a single basket, you better make sure that the basket in question is sturdy, and Apple...does not extol that trait.
Let’s not kid ourselves - security by obscurity coupled with “trust us, we know what we are doing” does not scream confidence. At the very heart, I don’t entirely trust Apple...but then I don’t entirely trust Microsoft either. I am just glad that someone did the homework to burst that T2 security blanket facade.

As far as I know, post-Broadwell Macs (and the MacBook Retina 12) have been one major no-fly zone, at least for me. They might be fun to play with, but not on my own money - I prefer the vintage machines. None of the T1/T2 embedded security black box inanity, swappable storage hardware, and an actually decent keyboard without that silly touchbar. Of course, the sad thing is that some of the complaints I have against the post-Broadwell Macs also applies to some PCs out there. Soldered RAM and storage is getting common for the cheap laptops, crap chiclet keyboards are around, and TPMs are rolled out to prosumer machines like Lenovo Yogas or HP Envy/Spectres as well, and who knows what issues they might have.

Last edited by ragefury32 on 2020-11-27, 06:28. Edited 3 times in total.