Security news that informs and inspires

Apple’s T2 Chip Good for Secure Boot, Still Room for Improvement

By

Apple’s T2 chip on the new Macs perform a wide array of tasks to secure the machine from various hardware- and software-based attacks. The fact that the T2 chip can do so much is also potentially its weakness, as it broadens the machine’s attack surface.

“The T2 is a great first step in the right direction, but there is still room for improvement when it comes to the secure boot process on an Apple T2-enabled device,” wrote Mikhail Davidov, a principal security researcher at Duo Labs.

First introduced with the iMac Pro and now in every new 2018 Macbook Pro, the T2 Security Chip is a custom-designed component that dynamically provides and validate UEFI (Unified Extensible Firmware Interface) firmware at runtime to make sure the firmware, hardware, and operating system has not been maliciously modified. The firmware contains the earliest code executed by the machine, such as initializing low-level hardware components and handing off control of the boot sequence to the operating system kernel. Attackers attempt to execute malicious code via bootkits before the operating system protections are enabled. Secure Boot prevents the attackers from injecting code in that first stage.

Once on the machine, bootkits are extremely difficult to detect as they are not part of the operating system and can survive reinstallation or hard disk replacement. The T2 can be thought of as a "physical wrapper around the flash chip," Davidov said, so "it can monitor the contents of the UEFI firmware and is much more difficult to tamper with than a naked flash chip."

Researchers from Duo Labs looked at the T2 chip and found that Apple's design for T2—“using an immutable, signature-validate image for UEFI firmware”—was an extremely effective way to secure the Mac platform. The T2 oversees a number of tasks long before the user presses the button, including locating and initializing the bootloader with an immutable masked ROM and loading processes that establish the cryptographically-verified chain of trust to ensure platform integrity. When the physical power button is pressed, T2 invokes more routines to verify the firmware and eventually shift control so that the regular UEFI and macOS bootloader can execute and boot up the machine.

Researchers called the T2 "a leap forward in platform security in the Apple ecosystem, and it begins to bring exciting security properties like Secure Boot capabilities to the mass market."

In theory, even if attackers bypass the x86 chip’s protection mechanisms, they can’t deploy bootkits because there is no flash storage to save the malware. However, the implementation isn’t quite so simple. For example, T2 first validates the signature on Apple-provided images, and then copies the code to internal mutable flash storage. The protocol used to verify the firmware can’t authenticate the responses it receives, so implanted hardware can potentially “man-in-the-middle the firmware image in flight and modify it,” the researchers said. The image starts out as good and trusted, but it can become untrusted. The modifications can come either from the host or through someone temporarily attaching hardware to the physical eSPI bus, Davidov said.

"Physical attacks are still possible, though more challenging than the classic evil-maid attacks that reflash a single SPI flash chip," the researchers said. It's possible that a bug in the Apple XNU common-kernel, which is used in many Apple products, could somehow create a shortcut for an attacker.

Functions are accessible “from userland without having root permissions.”

While T2 can’t alter the behavior of System Management Mode (SMM), the Intel Management Engine (ME), or UEFI, it is responsible for bootstrapping these three tools. This makes the T2 kernel “intrinsically more powerful,” the researchers wrote.

Apple lets the T2 chip communicate with other components to perform tasks other than secure boot, such as handling the processing for Touch ID fingerprint data, storing the cryptographic keys used to securely boot the machine, preventing laptop microphones from being remotely operated, and enabling the MacBook Pro to respond to “Hey Siri” commands without pushing a button. The way T2 is coupled with the host operating system exposed areas of the host operating system that was traditionally out of reach for attackers. For example, the RemoteXPC facility is exposed by a USB-attached network interface. While direct access to the interface is limited, there are ways to communicate directly with advertised services, without root permissions or binary entitlements, the researchers wrote.

There lies the crux of the T2: it does too much," the researchers wrote. "It shares many common components and drivers from the iOS and macOS platforms that frankly, just should not be there.

Duo Labs researchers praised performing integrity validation of firmware-at-rest as "a no-brainer, security-wise." However, they believe the secure boot operations should be isolated to "a much simpler and more tightly-scoped system-on-a-chip." One of the worries is that T2 updates are bundled alongside macOS system updates, and if something goes wrong with the update, the operating system may be patched by the firmware vulnerable.

Apple has been very quiet about the capabilities of its T2 chip, or how it works with other components. If an attacker can get persistent privileged code execution on the T2 chip, he or she would be able to rewrite the UEFI firmware on the fly, power on or off the Mac, and control sensitive peripherals like the camera and microphone. The masked-ROM rooted chain-of-trust has matured into one of the hardest targets in existance, Davidov said. With the T2 chip, Apple brought the defenses in its mobile devices to its laptop and desktop lines.

“This makes the T2 an extremely appealing target for a motivated attacker,” Duo Labs said.