Can you describe a scenario where Touch ID is safe against evil maid attacks (say, a chip is installed allowing anyone to transmit a certain signal that spoofs Touch ID) while also allowing unrestricted modifications by someone with physical possession of the device (as this T2 rooting post celebrates)?
Right now, that security is provided by Apple crypto-locking the Touch ID sensor to the T2 chip so that it cannot be modified to allow unauthorized access without being disabled altogether.
With the ability to bypass the restrictions of the T2 OS, that protection is stripped away, and replaced by .. nothing, as far as I can determine.
This is akin to removing your car’s electronic anti-theft system because it requires OEM keys. Sure, you can do so, but your car is a lot easier to steal, too. Only it’s not your car here, it’s your computer and all personal data on it, and all SSH keys you use to access remote servers, too.
I’m all for repairability but it’s worrying that the tech community is so invested in removing a padlock that offends them that they set aside security and risk issues in favor of rooting without addressing it at all. If this complete lack of interest in device security is the best we can do, we don’t deserve repairability, and we don’t deserve root.
I do not understand why you find it worrying that the tech community is invested in removing a restriction IN THE OPEN. If it can be removed for nefarious purposes, eventually, someone will do so and sell the exploit on the zero-day market (probably to a state actor). The existence of the vulnerability is just a fact, it is reality. Why do you feel safer not knowing about it? Whether you know about it or not the vulnerability is still there.
I do not ‘feel safer not knowing about it’. I feel safer knowing how to DFU a T2 Mac, though. It’s turning out to be very useful knowledge over time. I encourage you to learn how too.
Allow the users to install their own keys. Changing keys invalidates all encrypted/secured data. Which means you have to export the data if you do hardware changes and reimport it after supplying your own. Once you have your own keys installed you could sign additional hardware with them.
If apple is a viable root of trust then you yourself should be too. There's nothing magical that only apple can do.
I believe that Apple is burning their cryptographic key into readonly memory, so they would need to build out a readwrite pipeline and provide a secondary keystore option for "non-default" users that is writable by the hardware itself. That's a tall ask, but it's feasible, so we're good so far. The benefit to expert users with crypto competence is clear.
How would this benefit third-party repair shops, though?
The point is that you'd backup the keys in advance (when you initially set up the machine) and when the machine dies and your T2 is fried the repair shop can just replace it with a new T2, load the backed-up keys into it and give you back your machine with the data intact.
Right now, that security is provided by Apple crypto-locking the Touch ID sensor to the T2 chip so that it cannot be modified to allow unauthorized access without being disabled altogether.
With the ability to bypass the restrictions of the T2 OS, that protection is stripped away, and replaced by .. nothing, as far as I can determine.
This is akin to removing your car’s electronic anti-theft system because it requires OEM keys. Sure, you can do so, but your car is a lot easier to steal, too. Only it’s not your car here, it’s your computer and all personal data on it, and all SSH keys you use to access remote servers, too.
I’m all for repairability but it’s worrying that the tech community is so invested in removing a padlock that offends them that they set aside security and risk issues in favor of rooting without addressing it at all. If this complete lack of interest in device security is the best we can do, we don’t deserve repairability, and we don’t deserve root.