Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat Asia
March 26-29, 2019
Singapore
Black Hat USA
August 3-8, 2019
Las Vegas, NV, USA
Black Hat Europe
December 2-5, 2019
London UK
7/30/2019
09:00 AM
Alex Wawro, Special to Dark Reading
Alex Wawro, Special to Dark Reading
News
50%
50%

Black Hat Q&A: Cracking Apple's T2 Security Chip

Duo Labs' Mikhail Davidow and Jeremy Erickson speak about their research on the Apple's T2 security chip, and why they're sharing it at Black Hat USA.

Apple’s T2 security chip is responsible for (among other things) enabling Secure Boot and safeguarding biometric Touch ID data on Apple devices. It’s a key piece of Apple’s security system, and you’ll get an expert look at how it works at the upcoming Black Hat USA in Las Vegas from Duo Labs’ Mikhail Davidov and Jeremy Erickson.

The two will present Inside the Apple T2 a 50-minute Briefing about the T2 chip derived from research and reverse-engineering. Attendees will learn how the Secure Boot process works, what attacks may be mitigated and what attack surfaces it exposes to both the OS and application layers. Davidov and Erickson will also share insight into their research and why they’re sharing it at Black Hat USA.

Alex: Hey Mikhail and Jeremy, thanks for taking the time to chat! Can you tell us a bit about who you are, and your recent work?

Mikhail and Jeremy: We’re both researchers on Duo’s advanced research team. Duo Labs is a team of hackers, researchers, and engineers dedicated to protecting the public by identifying and fixing security vulnerabilities on a broad scale. We do this by prototyping new features and products, and conducting research into security systems used by the broader computing community.

Apple’s T2 chip is a good example of the kind of security mechanism we explore, since it has far-reaching impact across the security space and gives us a glimpse of where this technology is headed.

Alex: What are you planning to speak about at Black Hat this year, and why now

Mikhail and Jeremy:. We will discuss what role the T2 plays in assuring system integrity, as well as how one may communicate with the chip from macOS.

Historically, there's been limited information available on the internal workings of Apple's hardware and software. At Duo Labs we believe in the concept of democratizing security. We strive to enable other researchers to leverage our work and tooling to further the field. Understanding the security underpinnings of a system is critical to being able to trust it, and that more eyes on any critical piece of technology will help uncover vulnerabilities.

Alex: Why do you feel this is important, and what are you hoping Black Hat attendees will learn from your presentation?

Mikhail and Jeremy: Our work is one of the earlier investigative studies on the internal workings of the T2 chip. We document and share our understanding of Apple’s implementation of the secure boot process which is the foundation of modern platform security. Additionally, we reverse engineered Apple’s XPC message format and produced documentation and tooling that enables further exploratory research. We hope our talk will serve as a primer into further investigation by the greater security community and that our tooling will enable them.

Alex: What's been the most interesting aspect of cracking the T2 chip?

Mikhail and Jeremy: We characterize our work as exploring and documenting how the T2 chip functions beyond what Apple has published. Our research shows that the T2 chip remains probably the most secure boot-process on consumer systems today as it tries to bring the platform integrity features available on the battle-hardened iPhone to the macOS ecosystem. That said, it was particularly interesting to find just quite how much attack surface the ‘remotectl’ utility exposes from the T2 chip to macOS.

In our talk we’ll show how, with a little understanding of the XPC message format, additional T2 functionality can be exercised over this channel and highlight areas for further research. Complete details of our T2 research can be found on Duo Labs.

Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15129
PUBLISHED: 2019-08-18
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to access all candidates' files in the photo folder on the website by specifying a "user id" parameter and file name, such as in a recruitment_online/upload/user/[user_id]/photo/[file_n...
CVE-2019-15130
PUBLISHED: 2019-08-18
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to upload any file type to a candidate's profile picture folder via a crafted recruitment_online/personalData/act_personaltab.cfm multiple-part POST request with a predictable WRC01_USERID parame...
CVE-2019-15135
PUBLISHED: 2019-08-18
The handshake protocol in Object Management Group (OMG) DDS Security 1.1 sends cleartext information about all of the capabilities of a participant (including capabilities inapplicable to the current session), which makes it easier for attackers to discover potentially sensitive reachability informa...
CVE-2019-15136
PUBLISHED: 2019-08-18
The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition.
CVE-2019-15137
PUBLISHED: 2019-08-18
The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows fnmatch pattern matches with topic name strings (instead of the permission expressions themselves), which can lead to unintended connections between participants in a Data Distribution Service (DDS) network.