Apple’s T2 chip protects MacBook's mic from hackers, and shields FileVault from Intel CPUs

  • Liam Tung (CSO Online)
  • 31 October, 2018 07:55

Apple says its T2 security chip, found in new MacBook Pro laptops and the just announced MacBook Air, will block hackers eavesdropping using a laptop’s microphone. 

The company revealed extra details of its T2 security chip in a white paper today as the company announced its long-awaited MacBook Air refresh. 

The new MacBook Air features the T2 security chip, as do the 2018 MacBook Pro and the iMac Pro. On MacBooks with Touch ID, it provides the secure enclave used to store fingerprints.  

However, the T2 security chip serves a variety of functions on Mac hardware. Details of the chip surfaced recently after reports that components dependent on the chip would controversially need to pass an Apple diagnostics test for before the device becomes functional again. Dependent components included Touch ID, the display, logic board, speakers, trackpad, battery and more.

The T2 chip test caused concern among right-to-repair advocates worried that components and repairers not approved by Apple would cause a device to fail. However, iFixit found that for now replacing covered components at a non-authorized repair shop didn’t brick the system as was suggested in a leaked service contract.

An earlier document Apple published about macOS security aimed at IT admins noted that the “T2 chip in iMac Pro prevents users from being able to reset the firmware password, even if they gain physical access to the Mac”. 

But as spotted by TechCrunch, Apple has published a new document focusing on T2 that notes that Mac laptops with a T2 chip “have a hardware disconnect that ensures the microphone is disabled when the lid is closed.”

This security feature could be useful for anyone concerned about hacking enabled after an attacker has gained physical access to t he device, such as the classic “evil maid” attack in a hotel scenario.     

Apple-focussed security researcher Patrick Wardle earlier this year released the Do Not Disturb app that monitors a MacBook specifically for processes that happen when the macOS device’s lid has been opened, and sends an alert to an iPhone if it occurs. 

As Wardle argued, shutting the laptop should put the device into sleep mode, which largely isn’t useful for attackers who have physical access. Therefore, attackers with physical access would require the device to be awake and the lid be opened. 

While this app can cover many attacks that require the lid to be open, Apple’s T2 chip closes a potential hole that could be exploited when the macOS system has already been compromised if they found a way to tap the mic while the lid is closed. This concern could be a reality for anyone of interest to government hackers. 

As Apple notes of T2 on MacBooks: “This disconnect is implemented in hardware alone, and therefore prevents any software, even with root or kernel privileges in macOS, and even the software on the T2 chip, from engaging the microphone when the lid is closed.”

The defense is aimed purely for attack scenarios involving the use of sensors, such as the web cam and mic, when the lid is closed. As such, “the camera is not disconnected in hardware because its field of view is completely obstructed with the lid closed.”

It's highly unlikely for anyone to experience a closed lid attack that exploits the camera or microphone, but Apple's T2 chip ensures this won't happen even if the operating system has been compromised. 

The bigger advantage of the T2 chip could be that it protects macOS FileVault full disk encryption on MacBooks, which today still rely on Intel CPUs that Apple is rumored to be moving away from in future Mac products

“On Mac systems with the T2 chip, all FileVault key handling occurs in the Secure Enclave; encryption keys are never directly exposed to the (Intel) application processor,” Apple notes. 

The T2 processor also brings MacBooks closer to the password attempt delays on iPhones that have frustrated law enforcement agencies around the world, assuming FileVault has been enabled on a Mac with a T2 chip. Delays can be enforced up to 1 hour.  

“To prevent brute-force attacks, when Mac boots, no more than 30 password attempts are allowed at the Login Window or via Target Disk Mode, and escalating time delays are imposed after incorrect attempts. The delays are enforced by the Secure Enclave coprocessor on the T2 chip. If Mac is restarted during a timed delay, the delay is still enforced, with the timer starting over for the current period,” Apple notes. 

To counter ransomware-like effects from malware attempting to guess a user’s password, the 30 attempt limit is lifted when the user successfully logs into a Mac, but it is then re-imposed after reboot, and users have 10 more attempts when booting into macOS Recovery. An additional 30 more attempts are available when attempting to recover use other FileVault recovery tools, including iCloud recover, FileVault recovery key, and institutional key. 

“Once those attempts are exhausted, the Secure Enclave will no longer process any requests to decrypt the volume or verify the password,” Apple warns.