Hot Topics

Home » Cybersecurity » SBN News » Apple T2 security chip has Touch ID, Security Enclave, hardware to prevent microphone eavesdropping, amongst many other features!

Apple T2 security chip has Touch ID, Security Enclave, hardware to prevent microphone eavesdropping, amongst many other features!

by Melisha Dsouza on October 31, 2018

Apple’s special event held in Brooklyn yesterday, saw the unveiling of a host of new hardware and software including the MacBook Air 2018 and the Mac mini. Along with this, Apple also published a complete security overview white paper that minutely lists the details of its T2 security chip incorporated into the Mac mini and MacBook Air. The chip disconnects the device’s microphone when the laptop is closed. It also prevents tampering of data while introducing a strict level of security for its devices.

Let’s look at features of this chip that caught our attention.

#1 Disabling the microphone on closing the laptop

One of the major features of the T2 chip is disconnecting the device’s microphone when the laptop is closed. The chip first introduced in last year’s iMac Pro, is upgraded to prevent any kind of malware from eavesdropping on a user’s conversation once the laptop’s lid is shut. Apple further notes that the camera is not disabled because, the field of view of the lens is completely obstructed while the lid is closed

#2 Security Enclave

The Secure Enclave is a coprocessor incorporated within the system on chip (SoC) of the Apple T2 Security Chip. IIt provides dedicated security by protecting the necessary cryptographic keys for FileVault and secure boot. What’s more? It processes fingerprint data from the Touch ID sensor and checks if a match is present. Apple further mentions that its limited function is a virtue: “Security is enhanced by the fact that the hardware is limited
to specific operations.”

#3 Storage Encryption

The Apple T2 Security Chip has a dedicated AES crypto engine built into the DMA path between the flash storage and main system memory. It makes it really efficient to perform internal volume encryption using FileVault with AES-XTS .

Sponsorships Available

The Mac unique ID (UID) and a device group ID (GID) are AES 256-bit keys included in the Secure Enclave during manufacturing. It is designed in such a way that no software or firmware can read the keys directly. The keys can be used only by the AES engine dedicated to the Secure Enclave.

The UID is unique to each device and is generated completely within the Secure Enclave rather than in a manufacturing system outside of the device. Hence, the UID key isn’t available for access or storage by Apple or any Apple suppliers. Software that is run on the Secure Enclave takes advantage of the UID to protect Touch ID data, FileVault class keys, and the Keychain.

#4 Touch ID

The T2 chip processes the data from the Touch ID to authenticate a user. The Touch ID is a mathematical representation of the fingerprint which is encrypted and stored on the device. It is then protected with a key available only to the Secure Enclave which is used to verify a match with the enrolled information. The data cannot be accessed by macOS or by any apps running on it and is never stored on Apple servers, nor is it backed up to iCloud. Thus ensuring that only authenticated users can access the device.

#5 Secure Boot

The T2 Security Chip ensures that each step of the startup process contains components that cryptographically signed by Apple to verify integrity. The boot process proceeds only after verifying the integrity of the software at every step. When a Mac computer with the T2 chip is turned on, the chip will execute code from read-only memory known as the Boot ROM. This unchangeable code, referred to as the hardware root of trust, is laid down during chip fabrication and audited for vulnerabilities to ensure all-round security of the process.

These robust features of the T2 chip is definitely something to watch out for. You can read the whitepaper to understand more about the chip’s features.