New Mac T2 Chip Vulnerability Makes It Easier to Hack Your Passwords | Should You Be Worried?
Toggle Dark Mode
The T2 Security Chip in Apple’s recent Macs has long been the company’s strongest line of defence against hackers, but now it looks like a new vulnerability could make their jobs a bit easier.
A company called Passware, which creates forensic tools designed for use by law enforcement, claims that it’s found a way around one of the security limitations of Apple’s T2 chip, allowing it to break through Apple’s FileVault encryption more quickly.
To be clear, Passware has been able to break into FileVault-protected drives on older non-T2 equipped Macs for years, however Apple’s T2 chip has mostly stopped them in their tracks — until now.
Before the T2 chip came along, a user’s FileVault encryption password was stored right on their Mac’s SSD. This made it possible to conduct a brute-force attack that used GPU acceleration to simply guess tens of thousands of passwords per second until they hit on the correct one.
The T2 chip complicated this, however, since not only is the password no longer stored on the SSD, but the chip limits the number of password attempts that can be made, much like the iPhone and iPad have always operated.
The only other way around this was to brute-force the actual decryption key, which is extremely long and would therefore take millions of years for even the most powerful computer.
But now it looks like the forensic toolmaker has found a way around this. The company is offering an add-on module that appears to exploit a vulnerability in the T2 chip, allowing it to bypass the limit on password attempts.
Along with this new module, Passware is offering a dictionary of the 550,000 most commonly used passwords, culled from various data breaches over the years, plus an even larger database of 10 billion passwords.
Should You Be Concerned?
- The first thing to keep in mind is that this is a targeted attack that requires that somebody has possession of your Mac.
- Passware’s tools also don’t exactly come cheap — their forensic kit sells for $1,095, and that doesn’t necessarily include the add-on module that can bypass the T2 security features.
- That module is also only officially available to law enforcement agencies or private companies that can show a legitimate need for it.
- More importantly, however, this tool doesn’t just magically unlock your FileVault-encrypted SSD. As noted above, it simply runs through millions of password combinations until it finds the one that works — and it isn’t exactly a fast process, thanks to other built-in protections in the T2 chip that can’t be overcome.
Complex cryptography algorithms are designed to add a processing delay to prevent these kinds of brute-force attacks from being too easy. This delay is enforced by adding complex mathematical calculations that take extra time for the hardware chips to process. There are no security vulnerabilities that can overcome these delays, as they’re a function of the math involved, so hacking tools simply have to live with them.
In Passware’s case, this means that it can only guess about 15 passwords per second. Of course, that still works out to around 54,000 passwords per hour, and since it’s also working from a dictionary of commonly used passwords, there’s a good chance that it would hit on most people’s passwords sooner, rather than later.
For instance, if you have a six-character password made up of common words, phrases, or even character replacements (e.g., using a “3” for an “e”), Passware’s tool could likely crack that in about 10 hours, since that’s the about the amount of time it would take to run through the entire dictionary of the 550,000 most commonly used passwords.
Benefits of a Complex Password
On the other hand, if you’re using a completely random password, there’s a good chance that Passware’s tool will take years rather than hours.
For example, a six-character random alphanumeric password — one that uses both upper and lower case letters and numbers — actually offers 56,800,235,584 possible combinations of characters. Even with the ability to guess 54,000 passwords per hour, it could take up to 120 years to come up with the correct password.
In fact, even a simple six-character alphabetical password that uses only lowercase letters would take up to 238 days to crack. This is why dictionary attacks are so popular — and why it’s always best to use a completely random password, and make it as long as possible.
The more characters in your password, the more difficult it becomes to brute force it, as the number of possible combinations quite literally grow exponentially. For example, add only one more digit to create a seven-character alphanumeric password, and you increase the maximum time it would take Passware’s tools to get through your T2 chip to 7,400 years.
Again, however, this assumes your password is completely random, such that a brute-force attack has to resort to going through every possible combination of letter and number to find it. Go with anything that even remotely resembles a word, and you’re much more likely to fall prey to a dictionary attack.
The same applies to your iPhone and iPad passcode, which is why you should use a longer, alphanumeric password, rather than a simple four- or six-digit number. With Face ID (or Touch ID), you’ll rarely have to enter it anyway, and the extra security it offers against hackers will be well worth it.
While it’s unlikely most people will need to worry about their MacBook falling into the hands of somebody who would use Passware’s tools against it, using a more secure password can make it virtually impossible for any forensic tool to get through Apple’s FileVault encryption, regardless of what vulnerabilities hackers may find in the T2 chip.