Archive for October 12, 2020

Apple’s T2 Security Chip Has An “Unfixable” Flaw That Can Lead To Pwnage

Posted in Commentary with tags on October 12, 2020 by itnerd

A recently released tool is letting anyone exploit an unusual Mac vulnerability to bypass Apple’s trusted T2 security chip and gain deep system access. The flaw is one researchers have also been using for more than a year to jailbreak older models of iPhones. But the fact that the T2 chip is vulnerable in the same way creates a new host of potential threats. Worst of all, while Apple may be able to slow down potential hackers, the flaw is ultimately “unfixable” in every Mac that has a T2 inside. 

In general, the jailbreak community haven’t paid as much attention to macOS and OS X as it has iOS, because they don’t have the same restrictions and walled gardens that are built into Apple’s mobile ecosystem. But the T2 chip, launched in 2017, created some limitations and mysteries. Apple added the chip as a trusted mechanism for securing high-value features like encrypted data storage, Touch ID, and Activation Lock, which works with Apple’s “Find My” services. But the T2 also contains a vulnerability, known as Checkm8, that jailbreakers have already been exploiting in Apple’s A5 through A11 (2011 to 2017) mobile chipsets. Now Checkra1n, the same group that developed the tool for iOS, has released support for T2 bypass.

On Macs, the jailbreak allows researchers to probe the T2 chip and explore its security features. It can even be used to run Linux on the T2 or play Doom on a MacBook Pro’s Touch Bar. The jailbreak could also be weaponized by malicious hackers, though, to disable macOS security features like System Integrity Protection and Secure Boot and install malware. Combined with another T2 vulnerability that was publicly disclosed in July by the Chinese security research and jailbreaking group Pangu Team, the jailbreak could also potentially be used to obtain FileVault encryption keys and to decrypt user data. The vulnerability is unpatchable, because the flaw is in low-level, unchangeable code for hardware. “The T2 is meant to be this little secure black box in Macs — a computer inside your computer, handling things like Lost Mode enforcement, integrity checking, and other privileged duties,” says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. “So the significance is that this chip was supposed to be harder to compromise — but now it’s been done.”

Now let me point out one key thing. You have to have physical access to a USB port on the Mac in question. Which means that the way to avoid this is to not let anyone touch your Mac. But that might be a problem in a environment like customs at an airport. Especially in countries that isn’t exactly known for respecting human rights.

It will be interesting to see Apple’s response to this as the T2 chip is a big marketing point in terms of advancing the narrative that Macs are secure. And that’s key for enterprise customers that Apple wants to attract. In my mind, Apple needs to respond to this report and speak to what if anything they are going to do about it.

Why Does The Tacx Utility Need To Read The Clipboard Of My Mac Via My iPhone? [UPDATE: Fixed]

Posted in Commentary with tags , on October 12, 2020 by itnerd

As frequent readers of this blog know, my wife and I are avid cyclists. To help us keep in shape, we bought a Tacx Neo 2T Smart indoor trainer. What an indoor trainer does is that after you put your bike on it, it can simulate any sort of road riding experience. For example if you climb a hill with a 10% gradient, it will simulate that. If you go down a hill with at 3% gradient, it will simulate that. And something that is exclusive to the Tacx Neo 2T, it will simulate things like wooden bridges, cobbles, and gravel with the correct physics that you would feel if you rode over those surfaces in the real world. To aid with this, you need to use a program like Zwift along with a computer or tablet to place you in a virtual environment so that all of this comes to life. This is a setup that has really taken our cycling to the next level as we can ride and keep in shape 12 months of the year.

Like all pieces of electronic gear, The Neo 2T Smart requires firmware updates from time to time to fix bugs and enhance features. So on Sunday I decided to use the Tacx Utility app on my iPhone to check for firmware updates. That’s when I noticed something that got my attention.

If you watch the top of the screen, after the Tacx Utility starts up, a notification appears from iOS 14 saying that the Tacx Utility copied the clipboard of my Mac via my iPhone. Except that I never did a copy and paste from my Mac via Apple’s Universal Clipboard feature. Thus this was clearly a problem.

Here’s a picture of the prompt:

This notification is one of the many privacy focused features that appeared in iOS 14. And for good reason. The clipboard is where text that has been copied and pasted is temporarily stored. Given that users may have sensitive information copied to the clipboard, such as passwords, this could pose privacy and security concerns. And if you combine that with apps that were caught during the iOS 14 beta process looking in the clipboard for no good reason, then this notification will help you to make sure that you know when an App is doing something that might be shady. And how did this come to light, some researchers tripped over this in March and their discovery, and during the iOS 14 beta process, beta testers “named and shamed” apps that did this. Which included TikTok and LinkedIn among others. Who then promptly came out with some very weak excuses while quickly updating their apps to not do this.

To be frank, there’s only a handful of reasons why an app needs to access the clipboard on its own and without a user doing a copy and paste. So that leads to this question: Why precisely does the ⁦Tacx⁩ app which exists only to update firmware troubleshoot issues on Tacx trainers need to access my clipboard every time the app starts up? In my mind, there’s no good reason for that app to do so. But in the interest of giving Tacx a chance to explain themselves, I posted this to Twitter:

I also posted the same video that I embedded above from my YouTube account. I included the #iOS14 so that it would be noticed by a wider audience as well. And in case you are wondering why Garmin is included in my Tweet, Garmin owns Tacx. Thus in my mind, both companies have some explaining to do. Here’s what Tacx came back with:

Then another user of Tacx products jumped in and responded to this before I could as I was asleep at the time:

To which Tacx responded with this:

I’ll give Tacx kudos for jumping on this quickly. It shows that they weren’t doing anything sketchy and it sounds like a bug that they are going to investigate and hopefully fix. I will keep you updated on that front.

If I could give you some advice, if you see a prompt like the one above, and you didn’t do a copy and paste, I would report it with screen shots to the app vendor. Give them a chance to explain this as snooping in your clipboard is something that apps shouldn’t be doing except in some very unique circumstances. That will ensure that apps you use are safe. And if a company doesn’t respond like Tacx does, then you know who the bad actors are.

UPDATE: This issue seems to be resolved with Tacx Utility version 2.3.3 for iOS. It was released on the Apple App Store on November 18th and with this version I can no longer reproduce the issue