Passware manages to find the password of T2 Macs by brute force

The society Passwarewhich specializes in solutions for unlocking Macs and PCs by brute force, managed to “crack” the T2 chip. But beware, the process takes anywhere from 10 hours to…several thousand years, depending on the password and its length. But this remains possible thanks to a vulnerability exploited by the company, whose customers are mainly law enforcement but also companies.

The T2 chip, in the center of the iMac Pro motherboard. Picture iFixit (CC BY-NC-SA).

Passware already knew how to recover passwords from older Macs (without a T2 chip) and decrypt volumes protected with FileVault with a brute force technique: thanks to GPU acceleration, the software might test tens of thousands of passwords per second, allowing him to quickly break into machines.

The T2 chip inaugurated in 2018 (and which is still at work in the latest Intel Macs in the catalog) has made things more difficult. Its secure enclave keeps the Mac password, whereas previously it was in the computer’s storage space. In addition, the chip limits the number of attempts to enter passwords, with increasingly long waiting times (read the White Book on the T2 chip).

2017 iMac Pro review: Everything you never wanted to know regarding the T2 chip and Secure Boot

2017 iMac Pro review: Everything you never wanted to know regarding the T2 chip and Secure Boot

According to 9to5Mac, Passware has developed a way to circumvent these protections that are supposed to prevent the use of brute force. The technical details are unknown, however the process is much slower: regarding fifteen password attempts per second. For T2 Macs protected by 6-letter passwords, the villain can expect a result within ten hours.

The publisher clarifies that this new force unlock module is only offered to governments and companies that provide valid justification. Very meager security… It should be noted that the Passware tool can only work with physical access to the Mac. To guard once morest this kind of attack, you can opt for a long password that does not use common words that can be found in dictionaries, and include special characters. Easier said than done !

Leave a Replay