Apple Modernizes Its Hardware Security with T2

When Apple launched its latest MacBook Air last month, one of its more unusual features is that the built-in microphone automatically turns off when the lid is closed.

Apple introduced the feature to eliminate any possibility of malware – or other unwanted applications – using the laptop’s microphone to eavesdrop on users.

The mic shut-off function is written into Mac systems via the security-focused  T2 chip, and it’s just the latest use for the T2, which is a powerful piece of security technology that acts as the hardware root of trust for the Mac ecosystem.

The feature made headlines, even though the risk of anyone using a MacBook Air to bug conversations might seem low. But the bigger story is that with the expansion to the Air and other devices in its portfolio, Apple seems to be taking hardware security seriously. And researchers say Macs may finally be catching up to other computing platforms on that score.

Apple first introduced the T2 with the iMac Pro in late 2017, then added it to MacBook Pro computers earlier this year – and most recently, it’s been implemented into the new MacBook Air and Mac Mini.

Apple’s first-generation security chip, the 32-bit T1, was introduced with the 2016 MacBook Pro line, again to drive the Touch ID system. Apple upgraded the T2 to a 64-bit chip, based on a single-core version of its A10 iPhone processor, to handle a much wider range of tasks.

The T2’s functions are indeed wide-ranging: It acts an audio and mic controller, and controls the computers’ FaceTime cameras and even cooling systems. Vitally, it also governs storage security, and on top of that, it acts as a system-management chip. For instance, on the MacBook Pro, T2 controls the Touch ID on the TouchBar, and stores the biometric data in an on-board Secure Enclave co-processor.

With this more powerful chip, Apple appears to be setting out to add some heavyweight security features to the Mac. For instance, on T2-equipped Macs, the chip controls the boot process, and checks that the operating system is correctly signed. If it is, the machine moves on to the next part of the boot cycle. The T2 will validate current versions of MacOS and also Windows 10 – although at present, the chip will not allow a Mac to boot Linux.

The T2’s secure-boot facility is built to ensure that Mac owners don’t fall victim to modified system software or malicious updates. And, because T2 controls the Mac’s identity, it will work with mobile device management (MDM) technology to make it easier to administer secure boot for large numbers of MacBooks. This is a potential big benefit to enterprises – and to education in particular, where issuing laptops to students is increasingly common.

Unlike on the iPhone and iPad, Mac users do have a degree of control over their machine’s security settings. To that end, Apple provides an application called the Startup Security Utility, to control some of the T2’s behavior. Users can, for example, opt for “medium” security in order to use older versions of MacOS, or they turn the OS verification off altogether. This lets newer Macs boot in the same way as older models, without the T2’s intervention, although this is apparently not enough to fix the Linux issue.

Aside from secure boot, the T2 has another core security function, one which could be even more important to data protection-minded computer users.

“The new T2 chip also provides a built-in hardware encryption engine that encrypts all of the data stored on the solid-state drive (SSD) with a unique security key on each Mac,” explained James Plouffe, strategic technologist at MobileIron, a mobile security specialist. “This means that all of the data on a Mac can only be read by that Mac, even if the SSD is removed. This adds another layer of security for enterprise data.”

Data encryption is not new to the Mac platform, it should be said: Apple has offered various flavors of its FileVault technology for several years. The advantage of the T2 chip comes from its dual function as a storage controller as well as an identity and encryption manager.

The T2 chip encrypts and decrypts data on the fly with, Apple says, no loss in performance. The encryption uses the AES-256 standard, which is the same used on iOS devices. The T2 sits between Apple’s NVMe storage chips and the Intel processor, and makes use of the native encryption functions in the Apple File System (APFS). This combination makes permanent, entire disk encryption realistic, according to Derrick Donnelly, chief scientist at BlackBag Technologies, an IT forensics firm.

“Encryption is on by default even if the user has not turned on FileVault; Apple is using encryption at rest,” said Donnelly. “Apple is using a new raw memory drive, with a new interface and no PCIe controller, and it talks directly to the T2 chip.”

The T2 also has a one more trick to play. Apple’s technology combines a unique identifier from the T2 chip with the Mac owner’s password, and uses this as the basis for the storage encryption keys.

In simple terms, this prevents anyone from accessing the content of the NVMe storage chips, unless they have the user’s credentials and access to the Mac’s original T2 chip.

As long as users turn FileVault on, this makes it extremely unlikely that anyone could access the data in storage files by attempting to hack into the physical storage components according to researchers at Duo, a security vendor now owned by Cisco.

Apple Security in the Wider World

Apple of course is not alone in bringing hardware security to its devices, and in some ways, it’s playing catch up both with the Windows PC market, and with its own iOS devices. Trusted Platform Modules (TPMs), support for two-factor authentication and Intel’s vPro chipset – offered widely in business-oriented laptops – already do much of what Apple is setting out to do with T2.

So is Apple up to snuff now? While the T2 may also introduce potential downsides (BlackBag Technologies’ Donnelly cautions that upgrade options, data recovery and even law enforcement access to data could become more difficult as Apple moves its systems to T2), Apple’s hardware-based encryption is scoring high marks with researchers.

“By taking their proven success and leadership on the iOS platform with respect to security and privacy, Apple has been able to fast-track catching up with competing platforms that already implement modern hardware security features,” says Pepijn Bruienne at Duo.

In all, T2 technology could be significant step forward for anyone who needs a secure computing platform. Just remember to keep that lid closed.