A company selling password-cracking tools says that a newly-discovered T2 Mac security vulnerability allows it to crack passwords on these machines, bypassing the lockouts.

The method used is far slower than conventional password-cracking tools, but although the total time needed could run into thousands of years, that could fall to as little as 10 hours when the Mac owner has used a more typical password…

Background: The T2 chip

Apple introduced the T2 security chip in 2018, and it was used to provide a secure boot-up feature to Intel Macs from that year on.

The key to T2 security is that the chip contains both an SSD controller and a crypto engine, allowing it to instantly decrypt and encrypt data on the fly. This is similar to FileVault, but even more secure as only the T2 chip can do the decryption – and security features on the chip prevent an attacker from modifying macOS to gain access. Here’s how Apple describes the protection:

At the time that software is downloaded and prepared to install, it is personalised with a signature that includes the Exclusive Chip Identification (ECID) — a unique ID specific to the T2 chip in this case — as part of the signing request. The signature given back by the signing server is then unique and usable only by that particular T2 chip. The UEFI firmware is designed to ensure that when the Full Security policy is in effect, a given signature isn’t just signed by Apple but is signed for this specific Mac, essentially tying that version of macOS to that Mac. This helps prevent rollback attacks.

T2 Mac security vulnerability

Passware was already able to crack passwords and decrypt FileVault-protected drives on older Macs without the T2 chip. This uses GPU acceleration to achieve brute-force attacks of literally tens of thousands of passwords per second, making it a trivial task to break into these Macs.

Until recently, however, it wasn’t practical to mount brute-force attacks on Macs with a T2 chip. This is because the Mac password is not stored on the SSD, and the chip limits the number of password attempts that can be made, so you’d instead have to brute-force the decryption key, and that is so long it would take millions of years.

However, 9to5Mac has learned that Passware is now offering an add-on module that can defeat Macs with the T2 chip, apparently by bypassing the features designed to prevent multiple guesses. Having defeated this protection, users can then apply the dictionary of their choice. Passware provides a dictionary of the 550,000 most commonly-used passwords (created from various data breaches), along with a larger one of 10 billion passwords.

The process is still slower than usual, at a relatively sedate 15-ish passwords per second. In theory, this could still take thousands of years, but most people use relatively short passwords which are vulnerable to dictionary attacks. The average password length is just six characters, which can be cracked in around 10 hours.

Passware says that the add-on module is only available to government customers, as well as private companies who can supply a valid justification for its use.

What does this mean for Mac owners?

Passware requires physical access to your Mac, so is not a major concern for most of us.

If you have an older Intel Mac without a T2 chip, nothing has changed. Likewise if you own an M1 Mac. Affected machines are these:

  • iMac (Retina 5K, 27-inch, 2020)
  • iMac Pro
  • Mac Pro (2019)
  • Mac Pro (Rack, 2019)
  • Mac mini (2018)
  • MacBook Air (Retina, 13-inch, 2020)
  • MacBook Air (Retina, 13-inch, 2019)
  • MacBook Air (Retina, 13-inch, 2018)
  • MacBook Pro (13-inch, 2020, Two Thunderbolt 3 ports)
  • MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports)
  • MacBook Pro (16-inch, 2019)
  • MacBook Pro (13-inch, 2019, Two Thunderbolt 3 ports)
  • MacBook Pro (15-inch, 2019)
  • MacBook Pro (13-inch, 2019, Four Thunderbolt 3 ports)
  • MacBook Pro (15-inch, 2018)
  • MacBook Pro (13-inch, 2018, Four Thunderbolt 3 ports)

The main advice is, however, the same for everyone:

  • Use long passwords – the longer, the better
  • Don’t use words found in a dictionary
  • Include special characters like !@$%^&*()-+=[]{}
  • Only ever download apps from trusted sources
  • Follow standard cybersecurity precautions

We’ve reached out to Apple for comment and will update with any response.

Photo: iFixit

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear