T2 Mac security vulnerability means passwords can now be cracked

By Ben Lovejoy

A company selling password-cracking tools says that a newly-discovered T2 Mac security vulnerability allows it to crack passwords on these machines, bypassing the lockouts.

The method used is far slower than conventional password-cracking tools, but although the total time needed could run into thousands of years, that could fall to as little as 10 hours when the Mac owner has used a more typical password…

The key to T2 security is that the chip contains both an SSD controller and a crypto engine, allowing it to instantly decrypt and encrypt data on the fly.

This is similar to FileVault, but even more secure as only the T2 chip can do the decryption – and security features on the chip prevent an attacker from modifying macOS to gain access.

Until recently, however, it wasn’t practical to mount brute-force attacks on Macs with a T2 chip.

However, 9to5Mac has learned that Passware is now offering an add-on module that can defeat Macs with the T2 chip, apparently by bypassing the features designed to prevent multiple guesses.