Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple's T2 Chip Has Unpatchable Security Flaw, Claims Researcher [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
You got it backwards. This is exactly the reason Apple should be doing the silicon themselves and not trust Intel/AMD or others. They have their fair share of security flaws too.
This whole "your" vs "their" computer/phone thing needs to stop. You own the computer. You can drop it from a helicopter, throw it in a swimming pool, break it or whatever you want. You however do not own the macOS software. If you don't like macOS you can always install Windows on the computer.
I do not own the rights to get Windows 10 source code, change it to where I can never have Edge preinstalled. Its my computer though!
read-only memory is not only persistent it is read only. Read only means not rewritable. Set once and done.
If this was some Non Volatile RAM (NVRAM) that can be rewriting a couple of handful of times then it would not be "read only".
If it were regular RAM it wouldn't get patched because could not survive a hard reboot ( power all the way off and on). That is exactly where this hack is stuffed; into RAM. And exactly why the hack goes away if you simply power off and reboot the Mac is it looks like it strange state you didn't leave it in.
There is straightfoard fix here which is turn off the Mac and reboot it. Because the T2 OS is in ROM the hacker can't permanently put the hack into the system. That's is the security reason why it is in ROM. Apple does security in layers. One of the layers failed here; not all of them.
Now, the highly disappointing thing by Apple here is that they should put far more effort into the code that is running in Device Firmware Update (DFU) mode. It is an extremely vulnerable state the Mac can be put into and there should be very EXTENSIVE code reviews of anything that is running at that specific time.
If this was a normal operating mode there would be an excuse that their is just too much code to look and and don't have time to deep reviews of everything. But in DFU mode anything not immediately necessary should be off. And all the data being pumped at the T2 should be examined carefully.
The unspecified additional hack is the real secret sauce there. The article notes that check8 still can't decrypt the drive. This is would be even more unwieldy if this second step requires some access to the physical logic board or something. Where someone has to not only plug in something on the outside but also probe around the physical T2 chip to trigger this second level hack. It may be just pumping some malformed data to the T2 which responds instead of throwing it away.
You do realize that macOS and Windows were patched to address Meltdown and Spectre right? Causing the processors to run a bit slower as a result. They weren't just stuck because it was Intel's processors.
This is the main part of the problem that people don't understand. Never leave your system on unattended in a public place. Always take it with you. Since this needs physical access, its not the worst thing out there that people here are making it sound.
You need to access to the Mac in order to run this exploit.
As far as I understand the Mac has to be put in DFU mode, then you can run malicious code, so someone should steal your Mac, put it in DFU and run the software. I don't think it is possible to run the exploit if you plug in a malicious USB-C device, at least if it is not connected while booting.
An attack may happen, but not to the average user
I’m more worried about attacks/exploits like this, than physical access attacks:
https://www.pcmag.com/news/suspecte...lware-that-can-survive-os-reinstalls?amp=true
https://www.pcmag.com/news/suspecte...lware-that-can-survive-os-reinstalls?amp=true
Even in public places where this threat is the most possible? Unless you are VERY worried about friends and family. In that case I would suggest talking to them about your concerns
This is a long-standing question in the security community - and it's generally agreed the rewards for making it public (allowing users to protect themselves, allowing other security researchers to review/extend the work, getting companies to actually address issues instead of sweeping them under the rug, etc.) are worth the risks (allowing bad actors access to new attacks they might otherwise not know about). After all, there's always the chance that bad actors *already* know about it, and just haven't shared it with the security community.
Not only hackers. With this exploit they can bypass the remote locking of a Mac, making it possible to steal one and continue to use it
Not a major security issue, no OS or modern computer can ever be 100% secure these days
The days are gone we’re systems were 100% secure from malware and key logging as we could simply turn off and turn back on and instant boot up, tho these were 8-16bit machines and basic the more complex things become the greater the risk
The days are gone we’re systems were 100% secure from malware and key logging as we could simply turn off and turn back on and instant boot up, tho these were 8-16bit machines and basic the more complex things become the greater the risk
It is possible to stop adding more complexity and "Features" on top over time. If do testing and remove the vectors and do not introduce new ones then you can get to a state of closing the defects. That isn't practical in the normal operating mode for a general purpose system. New features and new code are typically needed to sell "new" product. But for a mode like device firmware upgrade (DFU) mode there really shouldn't be much of a new feature now "sizzle" that need to add over time. It is a narrow and focused use case. All the software/firmware that is necessary should be tractable to isolate and fix over time. ( and software that is going to be stuff into read-only (write once) memory should be throughly checked before you do so. Not Yippe-ki-yay it passed a couple of checks so toss it into ROM, but throughly reviewed. )
Same thing for he core security chip. It doesn't have to be bleeding edge out of order , super speculation execution engine. It just needs to reliable first and foremost. That normal application CPU can be completely isolated from that.
Can get to defect free in life critical and high security systems. .It just takes effort and resources and a willingness to limit scope to just what is necessary. That is just incompatible with the "never enough time to do it right, but always time to do it over" approach to general purpose software.
Last edited:
Don't count on it. They're not going to replace those chips and they're not going to give you a new motherboard just for this.
If there's going to be a fix it will be software/firmware-based that according to this source at least is not possible.
Last edited:
No. this is likely harder to generally exploit than the article suggests. Previous MBP has a firmware password that was resetable if know the "magic" hardware incantation. That was probably broader in scope never was a recall there either.
Apple somewhat brings this upon themselves when they promote the device as being super duper secure with the T2. That basically becomes an invitation for someone to find any kind of complicated way around the security. It is still highly secure in most normal operating modes. If you have lost physical access to your MBP for a long extended period of time then it is kind of in trouble anyway.
Don't loose it and do a power off and reboot when it looks "quite odd" and you'd be just fine. Apple isn't doing to do a billion dollar recall on a very narrow corner case that has nothing to do with the normal operating mode of the device.
Old School Philosophy: Believe anything is possible. Work hard, persevere, and find a way to succeed. Anything is possible if one believes and doesn’t give up.
Todays Philosophy: Meh, if we aren’t guaranteed immediate success out the door, why bother. Whatever is used today is fine for now until the rest of eternity.
lol... so apparently Intel has a Macrumors account