We generally assume that an attacker with physical access is going to win, but there are limits on that - the usual assumption is that it's going to take some time, and potentially leave evidence that can be picked up with enough attention to detail (such as screws not being in precisely the same alignment). This attack violates all of that - there's no physical modification of the machine, and it takes under a minute. That's the difference between an attack where you know the machine has left your control for some time and an attack that can take place while you're momentarily distracted.
The lack of response to this from Apple is deeply disappointing. The attack isn't technically persistent - rebooting the T2 will clear it. But the T2 doesn't reboot when the host OS does, and Apple haven't published any guidance on how to guarantee that it has been (eg, does holding the power button down for long enough cut power to the T2? Does performing an SMC reset? Both seem to, but is that guaranteed to be the case if the T2 is running malicious code?). In addition, the Blackbird SEP exploit probably means that we have to assume that all secrets kept in the Secure Enclave can be stolen - but we don't have a full enumeration of what those typically are, or what the total security impact of this is as a result.
1) Apple will have a problem with this. They generally don’t care about small-scale things like hackintosh, but this is a bit different. Selling a device to automagically hack a key logger into a modern Mac goes over their ‘line in the sand’, I’d expect. Openly selling it is ... brave, IMHO.
2) I can see some further work on their part to beef up the security over usb-pd. Perhaps the first thing is, as the article suggests, to force external attention from the user (hold down both shift keys...) but ultimately I could see it going to challenge/response and sha256 keys or similar.
> Selling a device to automagically hack a key logger into a modern Mac goes over their ‘line in the sand’,
No, there is a clear distinction between what is being sold and what is being demonstrated. The latter requires additional hardware and software NOT provided with the advertised USB-PD probe being sold. Reading the end of the blog or even the product page immediately makes that distinction clear.
Maybe you're right, but I think Apple will consider that a distinction without a difference.
A thief who breaks into a car using one of those hook things for the window still needs to know what (s)he's doing. That doesn't mean you don't get a lot of police attention if you're wandering around a car-park with one of them...
The eye of Sauron will blink, swivel, and focus hard towards these guys, IMHO. Hope they have good^better lawyers.
And yet it’s still not (in the U.S., AFAIK) illegal to sell, buy, or posses one of those tools to enter the car. Not even intrinsically illegal to use it—breaking and entering the car is what is illegal, regardless of the tool used.
Of course, a lawsuit may always be filed even if they have no belief they will win.
And yet it is illegal to own lock picks in some jurisdictions. Admittedly, not as bad as it was a decade ago in the US, but still several states outlaw them unless you are a certified locksmith.
> They generally don’t care about small-scale things like hackintosh
They do, actually. Someone tried selling computers pre-configured with the correct hackintosh configs and Apple shut them down via a lawsuit[0]. They also got Wired to take down a video on 'how to hackintosh'[1], however the theme with these two events was that they occurred pre-2010. Given that a multitude of people have now created hackintosh tutorials, the only thing Apple would C&D now is someone doing what Psystar did and selling pre-configured machines.
selling is the difference. If you sell to someone, you're opening the market to, well, everyone. If it takes technical expertise to do it, that itself is a sufficient limit for Apple to not really care unless you poke the bear.
Maybe Wired is a sufficiently large distribution that the same thing applies, but if these guys had just released the details, I suspect Apple would just quietly patch stuff along the lines above. Selling it means they poked the bear. With a burning torch.
What would they do? There’s nothing illegal about selling one of these; I’m sure most of the people buying them at this point are only going to use it for security research. Heck, if I had a T2 Mac I might buy one myself…
Once you find yourself against a team of lawyers funded by an organisation with basically unlimited money them not having a "legitimate legal argument" becomes less relevant.
A good friend of mine went head to head with the Dutch tax service. It was obvious from the start the tax service could never win. So he won...after about 5 years of legal proceedings and having to finance the whole thing up front before getting his money.
Remember you have to fight them in your spare time, for them it's just work time.
I’m confused as to why I’m getting downvoted on this.
I’m not being critical of the US, just recognizing the differences in how the legal system operates vs other countries.
In Canada, for example: potential lawsuits must be signed off by a judge who believes the case has merit. This means that you cannot decide to bury someone in legal paperwork simply because you have the money to do so: you must also have a reasonable complaint.
Yes: I skipped over the fact that the US has arrangements with other countries and therefore there are other countries where you can still do this, but the US’s legal system makes it easy.
Who do you think writes code for the T2, if not programmers? You're imagining that people who are employed for Apple are special, but they of course are just ordinary programmers.
Your point about SSD controllers is embarrassingly incorrect; there exist many hackers of SSD controllers, including OpenSSD [0], an entire open-source community of folks working on the problem.
Please stop apologizing for Apple's walled gardens. They intentionally limit access to hardware, even after it's legally sold and belongs to the new owner.
Edit: Downvoters, provide evidence or knock it off. Nobody's interested in Apple apologia this morning.
Well, yes, I don't know if you've read the rest of the thread, but it's quite apologetic. For example, the parent claims that nobody outside of academic research should actually want/need/desire to write code for the T2, but this is clearly bullshit meant to apologize for Apple's sealing off of the T2 from user access.
Maybe we should stop paying a fashion company to sell us chips that we aren't allowed to touch.
Unfortunately, this is not the complete picture. The T2 simply programs the embedded flash within the PCH over an eSPI interface. Meaning, a successful reprogram from the T2 WILL persist until the following occurs:
rickmark here: Sorry no, that's inaccurate. The T2 provides MacEFI.im4 to the Intel processor by emulating a flash controller over eSPI. So by modifying this file, and removing signature checks you can run any payload you like (see the EFI replacement video)
Yes, sigchecks had to be patched out of the kernel. And yes, it does not persist T2 reboot, but T2 only reboots if you hold power button for 5 sec. MacOS "reboot" does _not_ reboot T2.
This isn't persistent, right? At least on iPhones, checkra1n needs to run every boot to keep the device jailbroken. So if you saw the machine boot with nothing plugged in, you can trust it.
“as long as ______ you can trust it” is a very dangerous statement.
Persistent (and silent) hacks are kept out of the public’s eye because they get sold for six figures and higher. As soon as one of those becomes public, they are essentially worthless.
Fair enough. I guess what I meant to say is "as long as you saw it boot up with nothing in the USB ports, you don't have to worry about this particular vulnerability."
To me it seems like it would be persistent. They modified the EFI application which is the first thing that runs when the computer is booted.
A backdoor in there can wait for the user to type in their full disk encryption password, mount the disk, replace the kernel binary with a malicious version and then boot the system.
For good measure, repeat the above steps upon each system boot in case a system update or something overwrote the backdoored kernel.
---
This is actually similar to how Computrace/LoJack worked, except that one didn't defeat full disk encryption and would only place its payload onto unencrypted disks.
It's not that easy since the T2 chip runs a derivative of iOS which requires codesigning. The only problem is that the T2 rarely reboots which means that erasing any modifications from it might be difficult (as far as I am aware long pressing the power button for 10 seconds should be enough to reset both the T2 and Intel though).
It is impossible to untethered persist a modified version of MacEFI without another exploit on the T2 since it has to be signed by Apple and the signature is properly checked.
> So if you saw the machine boot with nothing plugged in, you can trust it.
That's assuming they haven't just attached it to the port from the inside. Or, for that matter, replaced the entire logic board with their own, having used some less subtle attack against the original to extract and copy its secrets/data.
You can't really trust anything an attacker has had unsupervised physical access to.
I like that they explicitly call on Apple to document the method of exploitation. Apple surely has internal documentation explaining how these debug commands work.
Louis Rossmann in his videos has complained about there being no authorized way to obtain technical repair documents. But he has also said that he is lucky enough to have people (some of whom apparently work or worked at Apple) that have given him troves of such documents. I couldn't find the video where he said that again, but I did find one earlier discussion on here about it[2]
It is also due to the fact that the T2 and cryptography team is very insular at Apple, if those documents were to be leaked then there are only a few teams where the leak could have originated and the hammer of god would be brought down.
Snowden exposed governmental crimes. An Apple leaker (while I support their endeavor) wouldn't be exposing anything but company secrets; the ends wouldn't legally justify the means.
I'm still waiting for a jailbreak dongle for iOS that would easily allow booting in a jailbroken state. I know bootm8 was working on a full case but that seems to have died. A similar, persistent project for macs would be awesome.
Apple has similar "magic DFU commands" for lightning, so for the iPhone X and prior this can be done via a magic cable as well... (look into the Bonobo cable)
> This is because in Mac portables the keyboard is directly connected to the T2 and passed through to macOS.
Oh god please tell me this is a joke... what were they thinking? Seriously?!
Bad enough most Windows laptops run the keyboard through the EC, but at least nobody outside secret services attacks them and they are diverse, while everyone and their dog is picking at the T2 chip.
Has anyone noticed that this newer MacBook Pro clearly exhibits "Staingate" anti-reflecting coating peeling off the screen? (You can see it in the video.)
> The laptop in the video just looks like how my screen gets when too my fingers have been on it.
When do your fingers ever get on the bottom left corner of the screen, for example? That's classic Staingate and not an area you would touch the screen.
That's something I ask myself every time I'm cleaning my monitor. How is there a fingerprint anywhere on it much less inexplicably in the corners?
Also, sometimes the act of cleaning doesn't get off all the grime and pushes a residual layer around which you don't notice until sunlight or when snapping a pic.
Never had issues with the coating itself bubbling or coming off. Just saying, the laptop in the video looks potentially inside the realm of grime (where I live and hold scepter).
> That's something I ask myself every time I'm cleaning my monitor. How is there a fingerprint anywhere on it much less inexplicably in the corners?
The bottom left corner of a monitor is the first place I touch it in order to adjust its position.
The critical difference is that a monitor doesn't have a computer body attached to it perpendicularly at the bottom. The ergonomics are completely different.
> When do your fingers ever get on the bottom left corner of the screen, for example?
I just checked. Apparently all the time. Finger oil smears on my laptop screen are completely evenly distributed across the entire area. The screen in the video looks to me exactly like smeared oil and residue that was wiped only perfunctorily
Nowadays, I buy a screen protector together with a new MacBook. I've never experienced staingate but I did see how dirty keys ate into the coating of the screen.
We generally assume that an attacker with physical access is going to win, but there are limits on that - the usual assumption is that it's going to take some time, and potentially leave evidence that can be picked up with enough attention to detail (such as screws not being in precisely the same alignment). This attack violates all of that - there's no physical modification of the machine, and it takes under a minute. That's the difference between an attack where you know the machine has left your control for some time and an attack that can take place while you're momentarily distracted.
The lack of response to this from Apple is deeply disappointing. The attack isn't technically persistent - rebooting the T2 will clear it. But the T2 doesn't reboot when the host OS does, and Apple haven't published any guidance on how to guarantee that it has been (eg, does holding the power button down for long enough cut power to the T2? Does performing an SMC reset? Both seem to, but is that guaranteed to be the case if the T2 is running malicious code?). In addition, the Blackbird SEP exploit probably means that we have to assume that all secrets kept in the Secure Enclave can be stolen - but we don't have a full enumeration of what those typically are, or what the total security impact of this is as a result.