{"id":22047,"date":"2020-10-11T15:50:40","date_gmt":"2020-10-11T22:50:40","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=22047"},"modified":"2020-10-11T15:50:40","modified_gmt":"2020-10-11T22:50:40","slug":"sb-2020-10-10","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2020\/10\/sb-2020-10-10\/","title":{"rendered":"Security Bits \u2014 10 October 2020"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Social Media Updates\n<ul>\n<li><a href=\"https:\/\/www.nbcnews.com\/tech\/tech-news\/facebook-bans-qanon-across-its-platforms-n1242339\">Facebook bans QAnon across its platforms \u2014 www.nbcnews.com\/\u2026<\/a><\/li>\n<li>Instagram has improved it&#8217;s anti-bullying protections a little \u2014 <a href=\"https:\/\/about.instagram.com\/blog\/announcements\/national-bullying-prevention-month\">about.instagram.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 T2 Jailbreak Update \u2013 The Other Shoe Drops<\/h2>\n<p>Last week we talked about the fact that the T2 chip could be jailbroken, and that it had been added to the <em>checkra1n<\/em> jailbreak, but that there did not seem to be any security implications. It seemed all you could do was customise the Touchbar.<\/p>\n<p>A lot can change in a week!<\/p>\n<p>Armed with the jailbreak we learned about last week security researchers went to work to see what they could do \u2014 the answer is, a lot &#x1f641;<\/p>\n<p>Attackers can use the un-patchable flaws in the T2 chip to:<\/p>\n<ol>\n<li>Bypass activation lock, allowing a stolen Mac to be re-used after all<\/li>\n<li>Bypass firmware passwords<\/li>\n<li>Indirectly bypass full disk encryption by adding a keylogger to the EFI firmware and waiting for the owner to log in at least once (perfect for an <em>evil maid<\/em> attack, but no use for trying to break into a stolen or ceased computer)<\/li>\n<li>Bypass secure boot, allowing Macs to boot un-signed OSes, including booby-trapped versions of macOS<\/li>\n<li>Execute malicious code during the boot process, potentially injecting malware into an otherwise clean OS as the OS boots<\/li>\n<\/ol>\n<p>I should also note that there is some speculation that perhaps the vulnerability could be used to speed up brute-force attacks on FileVault full disk encryption. That has yet to be proven, and a strong password would seem to provide a good defence against that potential attack.<\/p>\n<p>As bad as all that sounds, the sky is not falling, and the risk to regular folks is quite low. Why? Because <strong>to exploit this flaw, attackers need physical access to your computer<\/strong>, and <strong>the Secure Enclave has not been compromised<\/strong>.<\/p>\n<p>Another important subtlety to note is that the jailbreak is not permanent. Like Checkra1in on iOS devices does not survive a reboot, Checkra1n on T2 chips also doesn&#8217;t survive a reboot. The problem is that the T2 chip rarely reboots itself. It actually remains powered on even when the Mac it&#8217;s installed in is powered off. According to security researchers, the only way to be absolutely certain any exploit of a T2 chip has been completely removed is <a href=\"https:\/\/support.apple.com\/en-gb\/guide\/apple-configurator-2\/apdebea5be51\/mac\">to follow these instructions from Apple<\/a> to completely re-install all the Mac&#8217;s firmwares.<\/p>\n<p>Oh, and in case you&#8217;re wondering, the older T1 is not affected by this bug.<\/p>\n<p>This means that when it comes to activation lock, secure boot, keyloggers, boobytrapped OSes, etc., a T2 Mac is now as <em>&#8216;insecure&#8217;<\/em> as every Mac before the invention of the T2 chip was, and as every Mac without a T2 chip is. The T2 chip brought added security to Macs, above and beyond what we had already, and above and beyond what non-T2-Macs have today. Some of that additional protection has now fallen away, but not all of it. The addition of a secure enclave to Macs with T2 chips still adds some additional security over non-T2-Macs \u2014 most notably, TouchID, and the secure storage of private keys for things like encryption.<\/p>\n<p>The flaws being exploited here are literally burned into the current T2 chip. A key part of its security is that it cannot be altered, but, the price we pay for that protection against tampering is that there is no way to fix bugs!<\/p>\n<p>Apple can manufacture new T2 chips with fixed firmware burned into them, but they can&#8217;t fix any of the millions of existing T2 chips out there. There has been no word from Apple about what they&#8217;ll do, but I expect they&#8217;ll soon release updated T2s, or perhaps even new T3 chips with additional features.<\/p>\n<p>The bottom line \u2014 unless you&#8217;re a high-value target this is only really likely to impact you should your Mac get stolen, in that situation attackers can&#8217;t steal your data, but they can disable activation lock and profit from selling your computer. If you are a high-value target, don&#8217;t ever let your Mac out of your physical control, and replace your Mac as soon as Apple release updated models with patched T2s or replacement T3s.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.wired.com\/story\/apple-t2-chip-unfixable-flaw-jailbreak-mac\/\">Apple&#8217;s T2 Security Chip Has an Unfixable Flaw \u2014 www.wired.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apples-t2-chip-has-critical-unpatchable-security-flaw-says-researcher\">Apple&#8217;s T2 chip has unpatchable security flaw, says researcher \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/t2-vulnerability-report-had-inaccurate-technical-details-says-team-behind-research\">T2 vulnerability report had &#8216;inaccurate&#8217; technical details, says team behind research \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/blog.rickmark.me\/checkra1n-and-the-t2\">checkra1n and the T2 \u2014 blog.rickmark.me\/\u2026<\/a><\/li>\n<li>&#x1f3a7; Mac security researcher extraordinaire Patrick Wardle interviewed about this jailbreak by Ken Ray: <a href=\"https:\/\/overcast.fm\/+HLr7ZMH1w\">Checklist 202 &#8211; The T2 Vulnerability with Patrick Wardle \u2014 overcast.fm\/\u2026<\/a> <\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>DuckDuckGo has released privacy-friendly driving and walking directions based on Apple maps \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/duckduckgo-directions-mapkit\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.vice.com\/en\/article\/qj479d\/irs-investigation-location-data-no-warrant-venntel\">The IRS Is Being Investigated for Using Location Data Without a\u00a0Warrant \u2014 www.vice.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/10\/08\/8-tips-to-tighten-up-your-work-from-home-network\/\">8 tips to tighten up your work\u2011from\u2011home network \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.theguardian.com\/politics\/2020\/oct\/05\/how-excel-may-have-caused-loss-of-16000-covid-tests-in-england\">COVID: how Excel may have caused loss of 16,000 test results in England \u2014 www.theguardian.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.wired.com\/story\/ad-tech-could-be-the-next-internet-bubble\/\">Ad Tech Could Be the Next Internet Bubble \u2014 www.wired.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/facebook-says-apples-new-privacy-features-are-assault-its-company\">Facebook exec says company is &#8216;under assault&#8217; by Apple&#8217;s privacy changes \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.vice.com\/en\/article\/qj4qjd\/whatsapp-data-security-issues\">Six Reasons You Should Delete WhatsApp \u2014 www.vice.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Social Media Updates Facebook bans QAnon across its platforms \u2014 www.nbcnews.com\/\u2026 Instagram has improved it&#8217;s anti-bullying protections a little \u2014 about.instagram.com\/\u2026 Deep Dive \u2014 T2 Jailbreak Update \u2013 The Other Shoe Drops Last week [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4343,156,4342],"class_list":["post-22047","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-chekra1n","tag-facebook","tag-t2-jailbreak"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/22047","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=22047"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/22047\/revisions"}],"predecessor-version":[{"id":22049,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/22047\/revisions\/22049"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=22047"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=22047"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=22047"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}