AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.
A company that makes a password cracking tool says that a new vulnerability found in the Mac T2 chip allows it to brute force passwords and decrypt a device.
Apple’s T2 chip, among other features, allows a Mac user to encrypt and decrypt data on their SSD. That encryption is bolstered by other security features, like a limit on the number of password attempts to mitigate brute force attacks.
Because a Mac’s password isn’t stored on its SSD, bypassing this encryption meant that an attacker would need to brute force the decryption key, which could take millions of years. However, a company called Passware says it can now defeat this security mechanism.
Passware’s unlocking tools were previously able to crack passwords on Macs without the T2 chip. A new report by 9to5 Mac reports that an add-on to the latest version of the software can bypass the brute force mitigation protections on a T2 chip.
That module available for the Passware tool apparently exploits a new T2 chip vulnerability to circumvent the password attempt limit. The end result is that an attacker can apply a password dictionary and brute force a Mac’s password, allowing them to potentially decrypt the device’s data.
Passware-enabled attacks are slow, however. The company’s password cracking tool can guess 15 passwords per second. If a user’s password is relatively long, brute forcing a Mac could still take thousands of years. Shorter passwords are more vulnerable, with a six-character password crackable in about 10 hours.
The company is also offering a dictionary of about 550,000 commonly used passwords alongside a longer dictionary of about 10 billion passwords.
Password’s T2-bypassing tool is available both to government customers and companies that can provide a valid justification for its usage.
Brute forcing a Mac’s password requires physical access to your device, so the feature isn’t going to be a significant concern for most users. Users who lock down their Mac with a longer and strong device password can also rest easy knowing that a brute force attempt could take thousands of years.
Similarly, the flaw only applies to Intel-based Macs with a T2 chip. Mac devices with Apple Silicon or M1 chips are unaffected.
Source link