Apple’s T2 Chip: Security Must Have or Flawed?

It has almost been a week since Apple unveiled the new MacBook Air in Brooklyn, New York, the reveal was important for another reason. Apple further revealed that all new notebooks that come with a built-in T2 security chip will now disconnect the built-in microphone at the hardware level when users close their devices' lids. This new feature can be seen as a security enhancement designed to prevent malware from secretly recording users. Secretly recording user conversations using the webcam, for example, has become a staple feature of many spyware and other malware variants over the last several years. While Apple doesn't like to talk about malware, recently there are quite a few browser hijackers (for example weknow.ac, nvsearch.club), potentially unwanted applications (for example advanced mac cleaner, mac cleanup pro) and adware (for example CoinTicker, MacOSDefender) targeting Mac OS operating system.

What Apple has to say about the Chip?

In a white paper published by Apple detailing the new chips features Apple had the following to say,

“All Mac portables with the Apple T2 Security Chip feature a hardware disconnect that ensures that the microphone is disabled whenever the lid is closed…This disconnect is implemented in hardware alone, and therefore prevents any software, even with root or kernel privileges in macOS, and even the software on the T2 chip, from engaging the microphone when the lid is closed.”

In summary for those not wanting to read the entire white paper, the T2 is a secure co-processor that is embedded in the latest Apple devices. They operate separately from the main CPU, been used exclusively to handle encryption related operations in a secure, hard-to-tamper chipset. On the newest Macs, T2 chips are the foundation for new features like the APFS encrypted storage system, a more robust secure boot process, and the TouchID authentication on Macs. The T2 is not incredibly new as one might expect. Apple started shipping products with its new T2 security chip in January this year. The iMac Pro and the MacBook Pro models from 2018 already come with the new T2 chips installed.

apple t2 chip security

It is important to note that what Apple terms their portable products, namely iPhone and iPad, will not have the new feature. This is because the hardware disconnect will only work on those products with lids, such as the MacBook Pro and MacBook Air. Despite that, the feature began shipping in January it was not mentioned in a white paper published in January. Security researchers believe that the new feature was likely added to prevent malware or intrusive apps from secretly recording users when they close their lids. With the lid closed the OS runs in a suspended state and malware could still be activated to record conservations. Researchers have had to determine this feature as it has not been spelled out directly yet by Apple.

Apple did, however, say that the T2 chip was not configured to disconnect the camera at the hardware level similar to the microphone as the camera’s field of view is naturally obscured while the lid is closed. It would seem that the security measure is designed only to protect users while the lid is closed. Users will have to rely on an antivirus capable of detecting running malware or apps designed to notify the user when a process attempts to access the devices’ microphone or camera.

Security Must Have or Flop

It is this feature, only protecting users while the lid is closed, of the security enhancement that some experts are questioning. The Hacker New’s Mohit Kumar in an article published on the popular cybersecurity news website questions the ultimate usefulness of the feature. Kumar argues that although the feature is excellent as it makes impossible for malware to access your built-in microphone when the lid is closed, it does nothing to protect users when they are most vulnerable, that being when they are actually working on the device.

Users will still be susceptible to malware attacks to almost the same extent they were before. In the Hacker News article mentioned above, they gave the example of the FruitFly malware strain, discovered by researchers in January of this year, which is capable of secretly turning on your MacBook camera and microphone to record video and audio when your laptop lid is not closed. Kumar further argued that such a hardware disconnect feature would be far more useful if it offered users a manual switching option. This manual option would allow users to disable their device's camera and microphone whenever needed.

Not all Bad

While some have raised legitimate questions as to the usefulness of the hardware disconnect feature the T2 chip does have some other great features. These include the Secure Enclave coprocessor that protects users’ MacBook encryption keys, fingerprint data, and secure boot features. In conjunction with the Touch ID feature the T2 according to Apple will provide “a level of privacy and security protections never before seen on Mac,” It is not only security that the chip has prioritized. The T2 also boasts an image signal processor that enables enhanced tone mapping, controls the ambient sensor, the system management controller (SMC), white balancing to the FaceTime HD camera, Apple video encoder, audio controller, and enables “Hey Siri.”

While the T2 boasts a “never been seen before” the true value of the new security features will not be seen in the anti-eavesdropping hardware disconnect. Rather it is in the Secure Enclave coprocessor that lasting value will be found. Another up short of Apple including new security features is an acknowledgment that Macs are susceptible to malware attacks and the myth of their invulnerability can be put to bed once and for all.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal