Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat USA
August 1-6, 2020
Las Vegas, NV, USA
Black Hat Asia
September 29 - October 2, 2020
Singapore
Black Hat Europe
December 7-10, 2020
Virtual Event
7/30/2019
09:00 AM
Alex Wawro, Special to Dark Reading
Alex Wawro, Special to Dark Reading
News
50%
50%

Black Hat Q&A: Cracking Apple's T2 Security Chip

Duo Labs' Mikhail Davidow and Jeremy Erickson speak about their research on the Apple's T2 security chip, and why they're sharing it at Black Hat USA.

Apple’s T2 security chip is responsible for (among other things) enabling Secure Boot and safeguarding biometric Touch ID data on Apple devices. It’s a key piece of Apple’s security system, and you’ll get an expert look at how it works at the upcoming Black Hat USA in Las Vegas from Duo Labs’ Mikhail Davidov and Jeremy Erickson.

The two will present Inside the Apple T2 a 50-minute Briefing about the T2 chip derived from research and reverse-engineering. Attendees will learn how the Secure Boot process works, what attacks may be mitigated and what attack surfaces it exposes to both the OS and application layers. Davidov and Erickson will also share insight into their research and why they’re sharing it at Black Hat USA.

Alex: Hey Mikhail and Jeremy, thanks for taking the time to chat! Can you tell us a bit about who you are, and your recent work?

Mikhail and Jeremy: We’re both researchers on Duo’s advanced research team. Duo Labs is a team of hackers, researchers, and engineers dedicated to protecting the public by identifying and fixing security vulnerabilities on a broad scale. We do this by prototyping new features and products, and conducting research into security systems used by the broader computing community.

Apple’s T2 chip is a good example of the kind of security mechanism we explore, since it has far-reaching impact across the security space and gives us a glimpse of where this technology is headed.

Alex: What are you planning to speak about at Black Hat this year, and why now

Mikhail and Jeremy:. We will discuss what role the T2 plays in assuring system integrity, as well as how one may communicate with the chip from macOS.

Historically, there's been limited information available on the internal workings of Apple's hardware and software. At Duo Labs we believe in the concept of democratizing security. We strive to enable other researchers to leverage our work and tooling to further the field. Understanding the security underpinnings of a system is critical to being able to trust it, and that more eyes on any critical piece of technology will help uncover vulnerabilities.

Alex: Why do you feel this is important, and what are you hoping Black Hat attendees will learn from your presentation?

Mikhail and Jeremy: Our work is one of the earlier investigative studies on the internal workings of the T2 chip. We document and share our understanding of Apple’s implementation of the secure boot process which is the foundation of modern platform security. Additionally, we reverse engineered Apple’s XPC message format and produced documentation and tooling that enables further exploratory research. We hope our talk will serve as a primer into further investigation by the greater security community and that our tooling will enable them.

Alex: What's been the most interesting aspect of cracking the T2 chip?

Mikhail and Jeremy: We characterize our work as exploring and documenting how the T2 chip functions beyond what Apple has published. Our research shows that the T2 chip remains probably the most secure boot-process on consumer systems today as it tries to bring the platform integrity features available on the battle-hardened iPhone to the macOS ecosystem. That said, it was particularly interesting to find just quite how much attack surface the ‘remotectl’ utility exposes from the T2 chip to macOS.

In our talk we’ll show how, with a little understanding of the XPC message format, additional T2 functionality can be exercised over this channel and highlight areas for further research. Complete details of our T2 research can be found on Duo Labs.

Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4590
PUBLISHED: 2020-09-21
IBM WebSphere Application Server Liberty 17.0.0.3 through 20.0.0.9 running oauth-2.0 or openidConnectServer-1.0 server features is vulnerable to a denial of service attack conducted by an authenticated client. IBM X-Force ID: 184650.
CVE-2020-4731
PUBLISHED: 2020-09-21
IBM Aspera Web Application 1.9.14 PL1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188055.
CVE-2020-4315
PUBLISHED: 2020-09-21
IBM Business Automation Content Analyzer on Cloud 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the i...
CVE-2020-4579
PUBLISHED: 2020-09-21
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted HTTP/2 request with invalid characters. IBM X-Force ID: 184438.
CVE-2020-4580
PUBLISHED: 2020-09-21
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted a JSON request with invalid characters. IBM X-Force ID: 184439.