The Apple T2 chip is Apple’s 2nd generation custom security chip for Macs that provides new security features that could help prevent potential eavesdropping. The new chip has been slowly making its way to Apple’s latest devices, the most recent being the newly announced updated MacBook Air and Mac Mini.
The official ‘Security Overview’ document was recently released by Apple here and provides a comprehensive insight into the specifications and functionality of the new T2 chip. By redesigning controllers such as the image signal processor, system management controller and audio controller, the T2 chip provides new security advantages over the previous T1 chip.
Introduced first in 2017 with the iMac Pro, the T2 chip allows Apple to carry out a multitude of security tasks, including being able to securely store and process sensitive data, such as the biometric data (fingerprints) needed to enable their ‘Touch ID’. This is managed by the integrated ‘Secure Enclave’ processor, which features an onboard hardware random number generator and handles the encryption of all its memory.
The Secure Enclave also enables a ‘secure boot’, where each step of the start-up process is checked to verify integrity, this helps to ensure that software at the lowest level hasn’t been tampered with, resulting in the Mac being in a ‘trustworthy’ state when it’s booted. Partnered with the dedicated ‘AES crypto engine’, the Secure Enclave also helps to provide ‘highly efficient’ encryption of the internal volumes through Apple’s ‘FileVault’ software.
It is worth noting that with the new SSD controller, the T2 chip automatically encrypts SSD drives even if FileVault is disabled. Apple still recommend that FileVault is enabled for increased security but with FileVault disabled, encrypted SSDs will automatically mount and decrypt without a password.
A key feature of T2 is the ability to physically disconnect the microphone on the latest MacBook Air and Pro lines when the lid to the laptop is closed. The disconnect is handled by hardware alone, preventing software-based attacks, such as the ‘FruitFly’ malware, from activating the laptops microphone when the user believes the laptop is asleep with the lid is closed. They haven’t built in a disconnect for the laptop’s camera, as naturally, the view is completely obscured when the lid is closed.
The physical disconnect of the microphone is a step forward, but it doesn’t remove the risk of eavesdropping altogether as whilst the lid of the laptop is open, the microphone functions normally, meaning the risk is still very much present. However, this is a very good stepping stone towards overall better security and keeping private information, private.