AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

A company that makes a password cracking tool says that a new vulnerability found in the Mac T2 chip allows it to brute force passwords and decrypt a device.

Apple’s T2 chip, among other features, allows a Mac user to encrypt and decrypt data on their SSD. That encryption is bolstered by other security features, like a limit on the number of password attempts to mitigate brute force attacks.

Because a Mac’s password isn’t stored on its SSD, bypassing this encryption meant that an attacker would need to brute force the decryption key, which could take millions of years. However, a company called Passware says it can now defeat this security mechanism.

Passware’s unlocking tools were previously able to crack passwords on Macs without the T2 chip. A new report by 9to5 Mac reports that an add-on to the latest version of the software can bypass the brute force mitigation protections on a T2 chip.

That module available for the Passware tool apparently exploits a new T2 chip vulnerability to circumvent the password attempt limit. The end result is that an attacker can apply a password dictionary and brute force a Mac’s password, allowing them to potentially decrypt the device’s data.

Passware-enabled attacks are slow, however. The company’s password cracking tool can guess 15 passwords per second. If a user’s password is relatively long, brute forcing a Mac could still take thousands of years. Shorter passwords are more vulnerable, with a six-character password crackable in about 10 hours.

The company is also offering a dictionary of about 550,000 commonly used passwords alongside a longer dictionary of about 10 billion passwords.

Password’s T2-bypassing tool is available both to government customers and companies that can provide a valid justification for its usage.

Brute forcing a Mac’s password requires physical access to your device, so the feature isn’t going to be a significant concern for most users. Users who lock down their Mac with a longer and strong device password can also rest easy knowing that a brute force attempt could take thousands of years.

Similarly, the flaw only applies to Intel-based Macs with a T2 chip. Mac devices with Apple Silicon or M1 chips are unaffected.


Source link