Apple's T2 Security Chip Vulnerable to Attack Via USB-C

[chocolaterabbit]

Instead of assuming that the entire world revolves around you, maybe calm down and realize that I have different requirements than you do. Good for YOU that it doesn’t affect YOU, but now I have a compliance issue on my hands.

Yes you’re right, i really should calm down and understand the world doesn’t revolve around me, I shouldn’t make apple recall every t2 mac just because I have a compliance issue with work that I failed to mention in my OP. Macs are popular and I’m sure they’ll figure something out.

Hold on a minute...

 

[HiVolt]

What repairs other than keyboard/screen? Everything else is soldered into the logic board. Most shops do not have the capability of replacing soldered SSD flash chip.

Another thing is that previously a stolen password protected macbook would be useless and couldn't be used by another party without replacing logic board if there was a boot password. Now that's easily by-passable.

The Mac Pro & iMac Pro have socketed SSD's. Those can't be replaced or upgraded without authorized service because of the T2 chip.

 

[DanTheMan827]

Back in the early days of the apple store, people would connect their iPods to apple store computers in order to make copies of the software on the demo machines.

People also thought it was amusing to go to jailbreakme on all the iOS devices.

 

[DanTheMan827]

Apple should release devices without USB. That appears to be the real issue.

You're being sarcastic, right?

The problem is that by Apple insisting on including a chip to prevent people from repairing the computer or doing any form of upgrade, they inadvertently introduced an unpatchable security flaw.

 

[DanTheMan827]

Never happen.

People don't buy macs for specs, they buy them for the purported security of them, there will almost certainly be some sort of class action lawsuit at the very least.

 

[DanTheMan827]

How did it make the system weaker? This kind of exploit is much easier to achieve on computers without T2, where you dont even need physical access. You can not access data still, the only thing you can do is install a keylogger, to look for the password. If you enter the password via Touch ID, the logger is useless. Once the hacker figured out what is the password they will need physical access to the Mac again. I think it is, still pretty secure.

What's saying that this payload can't be used to install software onto the macOS partition of the SSD?

If that's possible, a company could manufacture cheap chargers or cables that automatically infect any computer they're plugged in to with a rootkit put into the OS itself

 

[patent10021]

Until ML/AI is used to design the chips, humans will be able to crack it. By that time, AI will be used to crack AI. This exploit would've been discovered a lot sooner had any of these security researchers been able to use their domain knowledge with ML models. For example using a corpus of all known exploits and patches with supervised learning. How many of these security researchers do you think are building ML/DL models? Globally, I bet you can count them on three fingers.

 

[rehash]

the thing is this vulnerability became public. so now every mac 2018+ user's private data have public access. which is a kinda unacceptable.

the only thing could be helpful here is to remember current os state before leaving workspace. if your mac will be hacked it should be rebooted first.

 

[patent10021]

the thing is this vulnerability became public. so now every mac 2018+ user's private data have public access. which is a kinda unacceptable.

the only thing could be helpful here is to remember current os state before leaving workspace. if your mac will be hacked it should be rebooted first.

This is false. Physical access is needed. So basically, you need to be a valuable asset like a president of a country or CEO of a major corporation and your computer has to be stolen and access gained. No one is going to spend their time trying to hack into Karen's Rose Macbook Air to spread her photos all over the dark web. Could be bad for corporate espionage.

 

[rehash]

This is false. Physical access is needed. So basically, you need to be a valuable asset like a president of a country or CEO of a major corporation and your computer has to be stolen and access gained. No one is going to spend their time trying to hack into Karen's Rose Macbook Air to spread her photos all over the dark web. Could be bad for corporate espionage.

physical access is not a problem. if people you live with, work with or even a housekeeper can easily gain it, everyone can.

 

[patent10021]

Yeah, that housekeeper ..... If your housekeeper would be the kind of person to do that and also has those technical skills, I'd be more concerned about other things.

 

[PBG4 Dude]

Yeah, that housekeeper ..... If your housekeeper would be the kind of person to do that and also has those technical skills, I'd be more concerned about other things.

LOL, that’s right out of a Bond / Mission Impossible film.

 

[gplusplus]

Yeah, that housekeeper ..... If your housekeeper would be the kind of person to do that and also has those technical skills, I'd be more concerned about other things.

The housekeeper who accepts bribes? Yes, that one.