Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat Asia
March 26-29, 2019
Singapore
Black Hat USA
August 3-8, 2019
Las Vegas, NV, USA
Black Hat Europe
December 2-5, 2019
London UK
7/30/2019
09:00 AM
Alex Wawro, Special to Dark Reading
Alex Wawro, Special to Dark Reading
News
50%
50%

Black Hat Q&A: Cracking Apple's T2 Security Chip

Duo Labs' Mikhail Davidow and Jeremy Erickson speak about their research on the Apple's T2 security chip, and why they're sharing it at Black Hat USA.

Apple’s T2 security chip is responsible for (among other things) enabling Secure Boot and safeguarding biometric Touch ID data on Apple devices. It’s a key piece of Apple’s security system, and you’ll get an expert look at how it works at the upcoming Black Hat USA in Las Vegas from Duo Labs’ Mikhail Davidov and Jeremy Erickson.

The two will present Inside the Apple T2 a 50-minute Briefing about the T2 chip derived from research and reverse-engineering. Attendees will learn how the Secure Boot process works, what attacks may be mitigated and what attack surfaces it exposes to both the OS and application layers. Davidov and Erickson will also share insight into their research and why they’re sharing it at Black Hat USA.

Alex: Hey Mikhail and Jeremy, thanks for taking the time to chat! Can you tell us a bit about who you are, and your recent work?

Mikhail and Jeremy: We’re both researchers on Duo’s advanced research team. Duo Labs is a team of hackers, researchers, and engineers dedicated to protecting the public by identifying and fixing security vulnerabilities on a broad scale. We do this by prototyping new features and products, and conducting research into security systems used by the broader computing community.

Apple’s T2 chip is a good example of the kind of security mechanism we explore, since it has far-reaching impact across the security space and gives us a glimpse of where this technology is headed.

Alex: What are you planning to speak about at Black Hat this year, and why now

Mikhail and Jeremy:. We will discuss what role the T2 plays in assuring system integrity, as well as how one may communicate with the chip from macOS.

Historically, there's been limited information available on the internal workings of Apple's hardware and software. At Duo Labs we believe in the concept of democratizing security. We strive to enable other researchers to leverage our work and tooling to further the field. Understanding the security underpinnings of a system is critical to being able to trust it, and that more eyes on any critical piece of technology will help uncover vulnerabilities.

Alex: Why do you feel this is important, and what are you hoping Black Hat attendees will learn from your presentation?

Mikhail and Jeremy: Our work is one of the earlier investigative studies on the internal workings of the T2 chip. We document and share our understanding of Apple’s implementation of the secure boot process which is the foundation of modern platform security. Additionally, we reverse engineered Apple’s XPC message format and produced documentation and tooling that enables further exploratory research. We hope our talk will serve as a primer into further investigation by the greater security community and that our tooling will enable them.

Alex: What's been the most interesting aspect of cracking the T2 chip?

Mikhail and Jeremy: We characterize our work as exploring and documenting how the T2 chip functions beyond what Apple has published. Our research shows that the T2 chip remains probably the most secure boot-process on consumer systems today as it tries to bring the platform integrity features available on the battle-hardened iPhone to the macOS ecosystem. That said, it was particularly interesting to find just quite how much attack surface the ‘remotectl’ utility exposes from the T2 chip to macOS.

In our talk we’ll show how, with a little understanding of the XPC message format, additional T2 functionality can be exercised over this channel and highlight areas for further research. Complete details of our T2 research can be found on Duo Labs.

Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4483
PUBLISHED: 2019-08-20
IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X...
CVE-2019-4484
PUBLISHED: 2019-08-20
IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 generates an error message that includes sensitive information that could be used in further attacks against the system. IBM X-Force ID: 164068.
CVE-2019-4485
PUBLISHED: 2019-08-20
IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 generates an error message that includes sensitive information that could be used in further attacks against the system. IBM X-Force ID: 164069.
CVE-2019-7593
PUBLISHED: 2019-08-20
Metasys? ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP).
CVE-2019-7594
PUBLISHED: 2019-08-20
Metasys? ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP).