Mac T2 Chip Vulnerability Makes it Possible to Guess Passwords: Report

According to 9to5Mac, password recovery and security decryption company Passware has discovered a new vulnerability affecting Apple’s T2 security chip for Macs that can be exploited to crack user passwords.

Apple introduced the T2 security chip with the iMac Pro back in 2018 to isolate password encryption and decryption from the rest of the system and add even more layers of security, making Macs harder to break into. The chip also incorporated several privacy features.

Passware is now offering an add-on module for its existing password-cracking tools, which were already capable of beating the security on non-T2 Macs. The new module can defeat Macs with the T2 chip through a brute-force attack while apparently bypassing a security feature designed to prevent multiple guesses.

The service is also offering a dictionary of the 550,000 most commonly-used passwords (created from various data breaches) for customers to mount their cracking attempts with, as well as a larger one composed of 10 billion passwords.

Passware’s exploit is still slower than other, more typical brute-force methods for password cracking, at a relatively sheepish rate of 15-ish break-in attempts per second. It could take thousands of years to crack just one password at that rate, but that can also be accomplished in as little as 10 hours if the Mac owner has used a more common password.

The firm says that the add-on module will only be sold to government customers, along with private companies that offer up a valid justification for its use.

M1-powered Macs and older Intel Macs without a T2 chip are not vulnerable to this exploit. Affected machines include:

  • iMac (Retina 5K, 27-inch, 2020)
  • iMac Pro
  • Mac Pro (2019)
  • Mac Pro (Rack, 2019)
  • Mac mini (2018)
  • MacBook Air (Retina, 13-inch, 2020)
  • MacBook Air (Retina, 13-inch, 2019)
  • MacBook Air (Retina, 13-inch, 2018)
  • MacBook Pro (13-inch, 2020, Two Thunderbolt 3 ports)
  • MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports)
  • MacBook Pro (16-inch, 2019)
  • MacBook Pro (13-inch, 2019, Two Thunderbolt 3 ports)
  • MacBook Pro (15-inch, 2019)
  • MacBook Pro (13-inch, 2019, Four Thunderbolt 3 ports)
  • MacBook Pro (15-inch, 2018)
  • MacBook Pro (13-inch, 2018, Four Thunderbolt 3 ports)

Anyone who wants to break into your Mac using Passware’s exploit will require physical access to it, so the vulnerability is not a major concern to most users. Even so, however, users should make sure their passwords are long — the longer, the better — and sufficiently complex to ward off a brute-force attack for as long as possible.