Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat Asia
March 26-29, 2019
Singapore
Black Hat USA
August 3-8, 2019
Las Vegas, NV, USA
Black Hat Europe
December 2-5, 2019
London UK
7/30/2019
09:00 AM
Alex Wawro, Special to Dark Reading
Alex Wawro, Special to Dark Reading
News
50%
50%

Black Hat Q&A: Cracking Apple's T2 Security Chip

Duo Labs' Mikhail Davidow and Jeremy Erickson speak about their research on the Apple's T2 security chip, and why they're sharing it at Black Hat USA.

Apple’s T2 security chip is responsible for (among other things) enabling Secure Boot and safeguarding biometric Touch ID data on Apple devices. It’s a key piece of Apple’s security system, and you’ll get an expert look at how it works at the upcoming Black Hat USA in Las Vegas from Duo Labs’ Mikhail Davidov and Jeremy Erickson.

The two will present Inside the Apple T2 a 50-minute Briefing about the T2 chip derived from research and reverse-engineering. Attendees will learn how the Secure Boot process works, what attacks may be mitigated and what attack surfaces it exposes to both the OS and application layers. Davidov and Erickson will also share insight into their research and why they’re sharing it at Black Hat USA.

Alex: Hey Mikhail and Jeremy, thanks for taking the time to chat! Can you tell us a bit about who you are, and your recent work?

Mikhail and Jeremy: We’re both researchers on Duo’s advanced research team. Duo Labs is a team of hackers, researchers, and engineers dedicated to protecting the public by identifying and fixing security vulnerabilities on a broad scale. We do this by prototyping new features and products, and conducting research into security systems used by the broader computing community.

Apple’s T2 chip is a good example of the kind of security mechanism we explore, since it has far-reaching impact across the security space and gives us a glimpse of where this technology is headed.

Alex: What are you planning to speak about at Black Hat this year, and why now

Mikhail and Jeremy:. We will discuss what role the T2 plays in assuring system integrity, as well as how one may communicate with the chip from macOS.

Historically, there's been limited information available on the internal workings of Apple's hardware and software. At Duo Labs we believe in the concept of democratizing security. We strive to enable other researchers to leverage our work and tooling to further the field. Understanding the security underpinnings of a system is critical to being able to trust it, and that more eyes on any critical piece of technology will help uncover vulnerabilities.

Alex: Why do you feel this is important, and what are you hoping Black Hat attendees will learn from your presentation?

Mikhail and Jeremy: Our work is one of the earlier investigative studies on the internal workings of the T2 chip. We document and share our understanding of Apple’s implementation of the secure boot process which is the foundation of modern platform security. Additionally, we reverse engineered Apple’s XPC message format and produced documentation and tooling that enables further exploratory research. We hope our talk will serve as a primer into further investigation by the greater security community and that our tooling will enable them.

Alex: What's been the most interesting aspect of cracking the T2 chip?

Mikhail and Jeremy: We characterize our work as exploring and documenting how the T2 chip functions beyond what Apple has published. Our research shows that the T2 chip remains probably the most secure boot-process on consumer systems today as it tries to bring the platform integrity features available on the battle-hardened iPhone to the macOS ecosystem. That said, it was particularly interesting to find just quite how much attack surface the ‘remotectl’ utility exposes from the T2 chip to macOS.

In our talk we’ll show how, with a little understanding of the XPC message format, additional T2 functionality can be exercised over this channel and highlight areas for further research. Complete details of our T2 research can be found on Duo Labs.

Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17223
PUBLISHED: 2019-10-15
There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2 via user/note.php.
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...