T2 Mac… Another Day, Another Hack

Another day, another hack. And it’s not just a Windows thing—Apple has had its fair or unfair share of malware, crypto lockers and physical hacks visit our beloved silver capsules of computing goodness. 

Numbers are up for Mac hardware spend in the consumer and enterprise space for remote workers. And as we all know now; the bad guys don’t care if you’re at home pounding out beats in GarageBand or you’re a developer with multiple OS VMs shaving milliseconds off refresh times on your company’s next combo phone and web app.  They do it just because they can and are counting on us to have poor physical and digital safeguards.

The hack of the week is Apple’s T2 chipset on Mac computers. The gist is, root access can be gained with a modified USB-C cable. MacRumors reports:

“The vulnerability allows for the hijacking of the T2’s boot process to gain access to the hardware. Normally the T2 chip exits with a fatal error if it is in Device Firmware Update (DFU) mode and it detects a decryption call, but by using another vulnerability developed by team Pangu, it is possible for a hacker to circumvent this check and gain access to the T2 chip.”

And over at 9To5Mac, Ben Lovejoy had a conversation with t8012’s Rick Mark that should cause us all pause:

“Team t8012’s Rick Mark told me (Ben Lovejoy) that his motivation to participate in the T2 research was because he was convinced it was possible and might already be in use. While the need for physical access to the Mac means it can only be used for very targeted attacks, he suspects that nation-states are using it, and potentially organized crime too.”

What’s the risk?

While the stars must align for a USB-C hack to occur, it nonetheless provides another threat vector to harvest accounts and passwords for anything you call near and dear to you: social media accounts, email, banking, etc.

We may have something for you in the enterprise. While the exploit is targeting a flaw in the chipset— which can’t be fixed with software—you might want to take inventory of the T2 Macs and come up with physical and social responses to protect these assets. 

Pretending Mac threats aren’t out there is expensive not only due to lost productivity and financial losses but also in corporate mindshare in the public arena. No one wants to be the next headline, or worse, lose their job over not doing anything because they think Macs aren’t susceptible to threats.

From our conversations with prospects and customers, we can deduce that for 95% to 98% of Windows shops, Mac management is either non-existent or left up to end-users. In many cases, it may be the same thing. How many unmanaged Windows devices would you bet your career on?  We hope the answer is zero for both Mac and Windows, yet we at Parallels think that’s not the case.

Gain added protection with Parallels Mac Management

So, what’s the first step? Knowledge. After all, you can’t act if you don’t know what you have. Starting with Parallels® Mac Management for Microsoft SCCM version v7.1, we added the ability to report on Trusted Platform Module (TPM) status, which you might think is just a Windows thing. It’s not.

Just because we said “Mac management” doesn’t mean the process has to look like something other than endpoint protection in Microsoft Endpoint Manager Configuration Manager (MEMCM). 

Below are a few screenshots from a new knowledge base article created by the Parallels support and dev teams. It was designed to help operations teams figure out what numbers to pass on to others who need metrics in order to come up with corporate policy and responses.

Among many other things, Parallels can report on and manage for Macs in MEMCM. We can extend into advanced inventory territory with a native Configuration Manager configuration item (CI), discover the entire T2 Mac footprint and report on it.

The rest is standard CI in a baseline against a collection of Macs. We have links to download the queries and scripts, so you don’t have to reinvent the wheel. The reporting will look like this:

If you right-click on a Mac device in a collection and go to Start–>Resource Explorer and then expand the top Hardware node out, there will be a TPM section:

For the Windows-dominant enterprise that isn’t a 95% Mac shop, having this attached to MEMCM— where you do most of your endpoint management and reporting from—and from the same SQL site code database is just another thing you can say “yes” to on your next quarterly audit: “We know how many Macs we have in general inventory, and how many of those are T2 chipset Macs.”

Parallels can also show you who has logged on to that Mac… But that’s a blog for another day. 

The full T2 Mac write up can be found here. You can also browse our extensive Parallels Mac Management for MEMECM knowledge base.