Between 2017 and 2021, Apple released a number of Mac models equipped with the T2 chip, a special processor used to secure the boot sequence, manage SSD storage and keep encryption keys safe from the rest of the system.
One improvement that T2 machines offered in comparison with older models was that it was effectively impossible to guess your password. This was because the chip limits the number of guesses you can make, preventing the use of traditional ‘brute force’ methods where thousands of guesses are made in rapid time.
But now it seems the T2 has a security flaw that allows attackers equipped with the right software to bypass the feature preventing multiple guesses. In fact,
Passware, a company that sells password-cracking software, has begun offering T2 unlocking to police and other government agencies, reports
There are still obstacles for attackers faced with a T2 machine. Traditional brute-force attacks generally register tens of thousands of guesses per second, but with the T2 you’re limited to 15 per second. If the Mac owner has chosen a short or a commonly used password, the Passware owner will be able to guess it fairly quickly – 9to5Mac quotes around ten hours for six characters, and hackers will employ dictionaries of popular passwords to prioritise their guesswork – but T2 Macs protected with reasonably secure passwords should remain virtually unhackable.
This isn’t the first issue to be raised with the T2 chip. Back in 2020, a Belgian security researcher claimed to have found a
serious vulnerability which could be used by hackers to bypass passwords and encryption. And we’ve also covered reports that the chip is a
nightmare for Mac repairers.
How does this affect me?
The first question is this: has your Mac got a T2 chip? The list of such devices includes the iMac Pro, the 2019 Mac Pro, the 2018 Mac mini and various MacBooks from 2018, 2019 and 2020. Apple has a
full list on its website.
If your machine is affected, you can avoid danger by following security best practices, which may mean switching to a longer, rarer or simply harder-to-guess password.
Just like on the iPhone (which has similar protection), our recommendation remains to choose a password that is long enough to take too long to guess even if security flaws like this are found. Try combining four or five random words, for example, and remember to use some special characters and numbers. Read
What is a good password? for more advice.
This article originally appeared on
Macworld Sweden. Translation (using
DeepL) and additional reporting by David Price.