Major vulnerability in Apple T2 security chips

[Halcyon]

https://ironpeak.be/blog/crouching-t2-hidden-danger/

Ouch

[I wanted a rude username]

So ... a system intended to make Apple PCs more secure, made them less secure?

Louis Rossman weighs in:

[Halcyon]

So ... a system intended to make Apple PCs more secure, made them less secure?

Apple only give a token regard to security when it comes to the bulk of its users. It's "good enough" for the average consumer. For example, anything running iOS has been vulnerable (from a general perspective) for years, provided you can get your hands on the physical device; Cracking a PIN and downloading its entire contents is rather trivial. If you are serious about security, you wouldn't be using an Apple product.

[Ed.Kloonk]

 

[Mr. Scram]

Apple only give a token regard to security when it comes to the bulk of its users. It's "good enough" for the average consumer. For example, anything running iOS has been vulnerable (from a general perspective) for years, provided you can get your hands on the physical device; Cracking a PIN and downloading its entire contents is rather trivial. If you are serious about security, you wouldn't be using an Apple product.

What would you use?

[Cerebus]

https://ironpeak.be/blog/crouching-t2-hidden-danger/

Ouch

So what actually is this "Major vulnerability"? The page you link to rambles on saying things like "The mini operating system on the T2 (SepOS) suffers from a security vulnerable also found in the iPhone 7 since it contains a processor based on the iOS A10." but it doesn't actually say what the vulnerability is, it doesn't even say what class of vulnerability it belongs to.

The general tenor of that webpage doesn't look like it's been written by grown-ups. e.g. lines like "Be angry at news websites & Apple for not covering this issue, despite attempts from me and others to get them to report this matter."

Generally with this sort of thing you at least expect to see the names of the researchers responsible, usually with affiliations, not a list of Twitter handles and nothing else.

I'd want to see something a little more cogent than this before concluding that there's anything to worry about here.

[Halcyon]

Apple only give a token regard to security when it comes to the bulk of its users. It's "good enough" for the average consumer. For example, anything running iOS has been vulnerable (from a general perspective) for years, provided you can get your hands on the physical device; Cracking a PIN and downloading its entire contents is rather trivial. If you are serious about security, you wouldn't be using an Apple product.

What would you use?

Honestly, in terms of the mobile phones, the ones I have the most issues with are the more obscure or unpopular brands. There is no one brand which will be completely impenetrable (including the old Blackberry devices, contrary to popular belief), but I've had certain models of LG running their weird version of Android that I haven't been able to get an extraction out of (without resorting to hardware-based teardown methods). Some of those re-branded candybar phones like ZTE are also a pain (especially if the flash is encrypted by default).

On the flip-side, Apple and Samsung are very well "supported" in the digital forensics community (because they are so popular and a lot of R&D money goes into reverse engineering them).

Security of data is multi-faceted -- Not one thing will keep you secure. It's a combination of efforts. Using strong, unique passwords for each device/service will give you a good head start.

[SilverSolder]

Security through obscurity is supposed to be a "bad thing"...  but I agree, if you use uncommon products that you just know someone is going to have to spend blood, sweat, and tears to figure out, they might decide to spy on someone else with a more popular device first!

[andersm]

So what actually is this "Major vulnerability"?

Code injection in the T2 coprocessor, which in turn allows injecting code into the main processor. The exploit is done via USB DFU mode and requires physical access, so the real-world risk is maybe not so dramatic.

[SilverSolder]

So what actually is this "Major vulnerability"?

Code injection in the T2 coprocessor, which in turn allows injecting code into the main processor. The exploit is done via USB DFU mode and requires physical access, so the real-world risk is maybe not so dramatic.

Bad guys can leave compromised USB sticks, flash drives etc. around, ready to be picked up by unsuspecting users thinking they made a lucky find...

[Halcyon]

So what actually is this "Major vulnerability"?

Code injection in the T2 coprocessor, which in turn allows injecting code into the main processor. The exploit is done via USB DFU mode and requires physical access, so the real-world risk is maybe not so dramatic.

This is true, in real-world terms, the impact is likely to be minimal (how often does a regular user boot off a USB drive anyway?). However what will be interesting will be the tools and methods which will be developed to exploit DFU mode for cyber security, digital forensics, law enforcement and national security organisations. Currently, the only way you can get data from a T2-based Mac is by either knowing the password or using some kind of attack/brute force to discover the password.

[Cerebus]

So what actually is this "Major vulnerability"?

Code injection in the T2 coprocessor, which in turn allows injecting code into the main processor. The exploit is done via USB DFU mode and requires physical access, so the real-world risk is maybe not so dramatic.

Bad guys can leave compromised USB sticks, flash drives etc. around, ready to be picked up by unsuspecting users thinking they made a lucky find...

Booting from a USB stick != running device in USB DFU mode.  First the device has to be explicitly put into DFU mode, then you need to have an active host device connected to it to run the host side of DFU.

[Marco]

Every one of Intel's ring minus X has been broken too, it's not a big deal. Just a question of physical security.

[Mr. Scram]

Honestly, in terms of the mobile phones, the ones I have the most issues with are the more obscure or unpopular brands. There is no one brand which will be completely impenetrable (including the old Blackberry devices, contrary to popular belief), but I've had certain models of LG running their weird version of Android that I haven't been able to get an extraction out of (without resorting to hardware-based teardown methods). Some of those re-branded candybar phones like ZTE are also a pain (especially if the flash is encrypted by default).

On the flip-side, Apple and Samsung are very well "supported" in the digital forensics community (because they are so popular and a lot of R&D money goes into reverse engineering them).

Security of data is multi-faceted -- Not one thing will keep you secure. It's a combination of efforts. Using strong, unique passwords for each device/service will give you a good head start.

Now I know what you won't use, but still not really what you would or actually do. What's your daily driver, for instance?

[Ed.Kloonk]

Honestly, in terms of the mobile phones, the ones I have the most issues with are the more obscure or unpopular brands. There is no one brand which will be completely impenetrable (including the old Blackberry devices, contrary to popular belief), but I've had certain models of LG running their weird version of Android that I haven't been able to get an extraction out of (without resorting to hardware-based teardown methods). Some of those re-branded candybar phones like ZTE are also a pain (especially if the flash is encrypted by default).

On the flip-side, Apple and Samsung are very well "supported" in the digital forensics community (because they are so popular and a lot of R&D money goes into reverse engineering them).

Security of data is multi-faceted -- Not one thing will keep you secure. It's a combination of efforts. Using strong, unique passwords for each device/service will give you a good head start.

Now I know what you won't use, but still not really what you would or actually do. What's your daily driver, for instance?

I'm guessing Maxwell Smart shoe phone.

[Bud]

So what actually is this "Major vulnerability"?

Code injection in the T2 coprocessor, which in turn allows injecting code into the main processor. The exploit is done via USB DFU mode and requires physical access, so the real-world risk is maybe not so dramatic.

Bad guys can leave compromised USB sticks, flash drives etc. around, ready to be picked up by unsuspecting users thinking they made a lucky find...

Not only USB sticks can be left. Phones themselves can be left. They also can be given as "gifts", given away or lended.

[Mr. Scram]

Who says the supply chain wasn't compromised somewhere and your phone or computer was delivered to you brand new and already compromised? It could be the manufacturer or one of its many subcontractorsvand suppliers, the seller, shipper or a number of others. We've seen real life examples of all of the above.

[Halcyon]

Honestly, in terms of the mobile phones, the ones I have the most issues with are the more obscure or unpopular brands. There is no one brand which will be completely impenetrable (including the old Blackberry devices, contrary to popular belief), but I've had certain models of LG running their weird version of Android that I haven't been able to get an extraction out of (without resorting to hardware-based teardown methods). Some of those re-branded candybar phones like ZTE are also a pain (especially if the flash is encrypted by default).

On the flip-side, Apple and Samsung are very well "supported" in the digital forensics community (because they are so popular and a lot of R&D money goes into reverse engineering them).

Security of data is multi-faceted -- Not one thing will keep you secure. It's a combination of efforts. Using strong, unique passwords for each device/service will give you a good head start.

Now I know what you won't use, but still not really what you would or actually do. What's your daily driver, for instance?

My daily driver is actually still a Samsung Galaxy S8. With secure start enabled and a strong password, it's still extremely secure.