Who needs Ventura’s Accessory Security?

If you think software exploits aren’t scary enough, what about hardware threats? We don’t hear as much about them, but when they are revealed they seem capable of bypassing the most fundamental protection.

Take checkm8 as an example. Nearly two years ago, an exploit previously used to jailbreak iOS devices was turned against the T2 chip trusted to improve the security of most recent Intel Macs. In this version of the exploit, the attacker needs physical access to the Mac, so they can connect a custom USB-C device to it. Once that’s done, they can put the T2 chip into DFU mode, normally used to restore its firmware, run the checkra1n exploit, install a keylogger, then gain access to that Mac. This was all explained on MacRumors and other sites at the time, and even now there’s no effective defence against it.

Other hardware exploits extend to Apple silicon models as well. One of the less well-known features of Thunderbolt 4 is that it’s required to protect against direct memory access (DMA) attacks which are part of an exploit known as Thunderspy, also published two years ago. This time the attacker needs a custom Thunderbolt 3 device and five minutes alone with your Mac. At the end of that, they can copy all your data, even when its internal SSD is encrypted and the Mac is locked.

Unfortunately, the mitigation added to Thunderbolt 4 isn’t a complete solution for Thunderspy. Because it isn’t a single vulnerability, but seven, blocking the DMA attack still leaves other routes for exploitation. With improving security against other forms of attack, hardware exploits are commercially valuable, and increasingly attractive to government security agencies and law enforcement. Because most are burned into hardware, they usually can’t be fixed retrospectively in existing chips and computers.

I’m sure that you also rationalise these fears away by telling yourself that no one would get near your Mac armed with anything like those custom USB-C or Thunderbolt devices. But what if it’s a notebook, and you fall asleep on the train while using it? Or it’s misplaced or stolen?

macOS Ventura is introducing Accessory Security, enabling you to set your M1 or M2 notebook Mac so that it won’t work with USB or Thunderbolt peripherals connected to it which you haven’t authorised. In the first instance, this only works on notebook models, MacBook Airs and Pros, not (yet) on desktop Macs like the mini, iMac or Studio. It also doesn’t apply to some classes of peripherals, such as power adaptors, or standalone displays, nor to anything connected to a hub which you’ve already approved.

Ventura’s System Settings let you choose whether you want this approval to be required whenever a peripheral is connected, only for new and unapproved devices, or to disable protection altogether. If you choose to require approval only once, those approvals should persist across macOS updates, and hopefully with updates to any software drivers required.

However unlikely you may think a hardware exploit might be for your Mac, Accessory Security is going to prove valuable protection for many Mac users, and probably the best answer to this type of attack. It will be interesting to see how effective it is against the likes of Thunderspy and future exploits. It may seem a small change to security, but could prove vital for some.