• rajesh273

Cracking the password of an Apple Mac with a T2 Security Chip

Macs with Intel processors and Apple T2 Security Chip can now be broken into using simple brute force methods. A company, Forensic Focus, has announced a tool to perform password recovery.

The recovery process can only take place if one has physical possession of the device. The requirements are:

  1. USB-C or Thunderbolt connection to the Mac

  2. Access to the encrypted image of the Mac; the image can be acquired by putting the Mac into Target Disk Mode

  3. This attack does not leave any traces taht a common user will notice.

Apple's T2 chip has many security functions. One of these features allows a Mac user to encrypt and decrypt data on their SSD. One of the T2 features is that it limits the number of password attempts.


The T2 has a bug that lets one bypass the limit on the number of password attempts. At that point, the Mac is wide open to brute force attacks.


Here are some details:

  1. A 6 character password takes roughly 10 hours to crack; about a good night's sleep.

  2. A 550,000 commonly used password database is provided

  3. 10 Billion passwords are also provided

  4. The tool is being offered to government customers and companies with valid justifications.

Mitigations

All is not lost. Here are some of the NIST 2020 Guidelines for passwords:

  1. Do not leave your Mac in someone else's custody

  2. Use a longer password. Better yet, use a passphrase. Length > Complexity

  3. Do not reset passwords periodically

  4. Pay attention when the Mac tells you that the password is commonly used

  5. Turn on full disk encryption.

Ransomware or Insider Risk

It is possible for an insider to ransom your Mac, steal the contents of your drive, or plant fake evidence on it.


Do not leave your Mac in the hands of someone you don't trust.




14 views0 comments

Recent Posts

See All

The latest White House development in cryptocurrencies, Executive Order (EO)on Ensuring Responsible Development of Digital Assets, is geared towards bringing the world of blockchain in general, and c