A company that makes a password cracking tool says that a new vulnerability found in the Mac T2 chip allows it to brute force passwords and decrypt a device.
Apple's T2 chip, among other features, allows a Mac user to encrypt and decrypt data on their SSD. That encryption is bolstered by other security features, like a limit on the number of password attempts to mitigate brute force attacks.
Because a Mac's password isn't stored on its SSD, bypassing this encryption meant that an attacker would need to brute force the decryption key, which could take millions of years. However, a company called Passware says it can now defeat this security mechanism.
Passware's unlocking tools were previously able to crack passwords on Macs without the T2 chip. However, earlier in February, the company quietly announced an add-on to the latest version of the software can bypass the brute force mitigation protections on a T2 chip.
That module available for the Passware tool apparently exploits a new T2 chip vulnerability to circumvent the password attempt limit. The end result is that an attacker can apply a password dictionary and brute force a Mac's password, allowing them to potentially decrypt the device's data.
Passware-enabled attacks are slow, however. The company's password cracking tool can guess 15 passwords per second. If a user's password is relatively long, brute forcing a Mac could still take thousands of years. Shorter passwords are more vulnerable, with a six-character password crackable in about 10 hours.
The company is also offering a dictionary of about 550,000 commonly used passwords alongside a longer dictionary of about 10 billion passwords.
Password's T2-bypassing tool is available both to government customers and companies that can provide a valid justification for its usage. It costs $1,990.
Brute forcing a Mac's password requires physical access to your device, so the feature isn't going to be a significant concern for most users. Users who lock down their Mac with a longer and strong device password can also rest easy knowing that a brute force attempt could take thousands of years.