Password-recovery firm claims it can crack passwords on Macs with T2 security chip

Cal Jeffrey

Posts: 3,578   +1,075
Staff member
In a nutshell: A password recovery firm has discovered a flaw in Apple's T2 chip that allows it to crack a Mac user's credentials with a brute-force attack. The method can still take considerable time, but with a weak password, the company's software can unlock a Mac in as little as 10 hours.

Passware is a company that has sold software-based hacking solutions for nearly 25 years. Its tools are primarily used for legitimate reasons such as forensics and data recovery. However, when Apple introduced its T2 security chip in 2018, Passware hit a snag with the macOS version of its tools.

The T2 is a hardware-based gatekeeper and only allows a certain number of password attempts before locking down the system. So the only way to get in is to crack the file system's decryption key, which would take millions of years to brute-force even with GPU acceleration.

Passware has a new module that can bypass the password attempt limiter. However, 9to5Mac notes that it's comparatively slow. The software can breeze through tens of thousands of guesses per second on older Macs, but the new module can only manage about 15 attempts per second using the bypass. Still, the software can use a 500,000-word dictionary attack and crack a relatively weak six-character password in about 10 hours.

Since physical access to the computer is required, this T2 vulnerability only poses a minimal threat to the average user. Additionally, it only works on Intel Macs with a T2 chip. The newer M1 Macs are invulnerable to the hack, and older units without the T2 are still vulnerable to the older versions of the tools.

Passware says it only sells its software to government buyers or private companies that prove they have a legitimate reason to use the tools. It also is not disclosing the vulnerability to the public.

That said, now that the security hole is known, you can bet hackers are racing to exploit it before Apple can lock it down.

Permalink to story.