
It appears Apple may be unable to recover data from failed 2018 MacBook Pros - okket
https://www.macrumors.com/2018/07/22/2018-macbook-pro-lacks-data-recovery-port/
======
eridius
The summary here is the T2 chip provides custom hardware encryption for the
SSD, which makes recovery impossible (and so they removed the data recovery
port because what's the point in having it?).

So remember, backups are important!

~~~
mattnewton
Also a reminder that apple really does seem to care about privacy, in ways the
average user isn’t likely to understand / appreciate.

~~~
alerighi
The T2 chip for what I understand it's a proprietary CPU that executes
proprietary software, how can you consider that secure ? It's not different
from the Intel ME in that sense, just another secondary processor that have
access to all the hardware on the computer and that runs code that the user
cannot control.

Also for a security prospective it's not good, the main principle of
cryptography is that the only secret to decrypt something should reside in the
user, not in the obscurity of the algorithm or the hardware, so a perfect
encryption is an encryption where when you turn on you laptop you have to
insert a 30 character strong password that only you know, like LUKS on Linux,
no obscure hardware, no proprietary software. The laptop broke, take out the
SSD, put it in another Linux computer, insert you secret password, and recover
the data.

This system is NOT secure, if someone finds a flaw that permits to extract the
key from the T2 chip, and it's only a matter of time and resources before
someone does it, your data is no more protected, they can decrypt and extract
what they want. We must not consider secure every encryption system that
doesn't depend on a secret that only the user knows.

~~~
jsjohnst
> This system is NOT secure

Let me tell you a secret, there is nothing truly secure in the world. Only
things which haven’t had a vulnerability found for it.

> It's not different from the Intel ME

The important sense that matters is Intel ME has been found vulnerable (highly
vulnerable in fact). The T2 hasn’t. Should we be skeptical of black boxes,
most assuredly! But calling it equivalent to something found to be flawed in
serious ways is a bit premature at best, or grossly negligent at worse.

> the main principle of cryptography is that the only secret to decrypt
> something should reside in the user

I don’t know about you, but the “main principle of cryptography” is to
_prevent unauthorized parties from knowing the contents of the data_ to me. I
guess we are allowed to make up any statement that furthers our cause though
when that suits us.

> if someone finds a flaw that permits to extract the key from the T2 chip,
> and it's only a matter of time and resources before someone does it, your
> data is no more protected, they can decrypt and extract what they want

Your password is part of the process, the extra stuff done in the T2 is just
that, extra. So _extracting from the T2_ gives you nothing without the user’s
password, needed to unlock the secret encryption key for the drive (assuming
FileVault is enabled[0], and if you didn’t enable it, then why do you have an
expectation of security at all?).

[0] [https://support.apple.com/en-us/HT208344](https://support.apple.com/en-
us/HT208344)

~~~
devwastaken
>Let me tell you a secret, there is nothing truly secure in the world.

My VCR is pretty secure. CRT monitor, too. Even my headphones are nicely
secure.

>The important sense that matters is Intel ME has been found vulnerable
(highly vulnerable in fact). The T2 hasn’t.

There's your fallacy. Just because the T2 hasn't doesn't mean it can't or
won't. You even just said it. 'Only things which haven’t had a vulnerability
found for it.'. The problem is that proprietary embedded hardware of a dynamic
nature leads to irreversible possibilities of exploitation at a hardware
level. ME is a very, very good reason to not trust.

>I don’t know about you, but the “main principle of cryptography” is to
prevent unauthorized parties from knowing the contents of the data to me.

Cryptography is not about obfuscation layers on top of cryptography.
Cryptographic security is a math, not a logic. Anything further is about
hiding intentions making the cost of entry to finding exploitation higher. The
cost of entry makes it hard for white hats to find exploits before the market
does.

>Your password is part of the process, the extra stuff done in the T2 is just
that, extra.

Or is it? Have you looked at the firmware? you nor I can, so you cannot claim
what it's actually doing. But we do know that it's a proprietary chip capable
of lots of fun.

Also user passwords are trivial to get, and there's always the possibility
that the chip is storing the user password itself. Again, can't know, that's
up for the black hats now.

~~~
pwinnski
A long time ago, I was told a story by a Navy Radioman--a specialty which no
longer exists. As a demonstration of TEMPEST, someone parked a van at the end
of a pier and after a few hours presented to the crew of the ship a log of
everything that had been done electronically on the ship. Not just the
transmitted traffic, either, but things that they had apparently been able to
construct from the CRT displays in use at the time. At a distance.

I don't think your VCR, CRT monitor, or headphones are nearly as secure as you
think they are. You might not care about their vulnerability to a
sufficiently-motivated actor, but someone else might.

~~~
Someone
[https://en.wikipedia.org/wiki/Van_Eck_phreaking](https://en.wikipedia.org/wiki/Van_Eck_phreaking):

 _”In the paper, Van Eck reports that in February 1985 a successful test of
this concept was carried out with the cooperation of the BBC. Using a van
filled with electronic equipment and equipped with a VHF antenna array, they
were able to eavesdrop from a "large distance". There is no evidence that the
BBC's TV detector vans actually used this technology, although the BBC will
not reveal whether or not they are a hoax.

Van Eck phreaking and protecting a CRT display from it was demonstrated on an
episode of Tech TV's The Screen Savers on December 18, 2003.”_

------
Dunedan
What people critizing this seem to miss is that it's exactly the same
situation as for SSDs which include hardware full disk encryption (FDE):

If the processor inside the SSD responsible for encryption/decryption breaks,
you can't recover the data as well anymore.

What would be the processor inside the SSD is the T2 chip in the current
MBP's. It even exposes the same interface (NVMe) to the rest of the system as
the processor of an SSD does.

The only differences are that the T2 chip has some additional responsibilities
in addition to handle the storage and its encryption and that the die with the
T2 chip and the flash chips is larger (as it's the motherboard) and might not
be as sealed against environmental impacts as the one of an SSD (which could
be a higher risk of failure).

~~~
makomk
If I'm understanding the article correctly, they can't recover users' data
even if both the T2 chip and the NVMe storage are working - the entire laptop
needs to be functional in order for them to get data off. Any failure of any
important mainboard component leads to complete data loss.

------
vertwo128
Ironically (is that the correct usage?) this actually makes it appealing to
me.

Whenever I take a laptop in to be serviced, I always remove the hard drive and
replace it with an old one that has a new Linux or Windows install on it.

This is mainly for privacy reasons.

When I got my MBP, I knew you couldn't do that, so I basically used it as a
thin client, storing all my data elsewhere. However, I was still uncomfortable
when I did need to turn it in for servicing, that I spent extra time and
formatted it beforehand.

And yes, I encrypt all the drives, but I've heard of instances where the tech
will ask for passwords.

~~~
SyneRyder
_> I've heard of instances where the tech will ask for passwords._

I've experienced this at the Apple Store when taking a Mac in for repairs.
They refused to fix it if I didn't give them the password, even though it was
under warranty. There's even a dedicated field for typing in your login
password on the iPads the Apple Genius gives to you when submitting your Mac
for a repair.

~~~
ukblewis
When I took my MacBook Air in for repair with a UEFI password, they carried
out the whole repair and just asked me to type my password when I arrived to
collect it and ran a diagnostic on the machine to verify the computer was
working. You shouldn’t need to tell/give an Apple Genius your password.

------
linker3000
I always consider any lap/desk top device as 'disposable'; when I am
'connected', my auto-saves and final saves are synced to online storage, and
if I am out-and-about, I can double-save to an encrypted usb memory stick or a
locker on my phone.

~~~
lisper
> I always consider any lap/desk top device as 'disposable

An MBP is a mighty expensive disposable.

~~~
jonknee
Well if you were needing the recovery feature of older models you were already
in an expensive situation...

------
mschuster91
Well, yet another reason to stick with the older macbooks: you can always put
your SSD in another Macbook and unlock the FileVault encryption. Timemachine
is nice, unless you're dealing with gigabyte-sized files... be it Photoshop,
AfterEffects or whatever.

------
RantyDave
So, hang on, did they used to be able to bypass the disk encryption? Surely
they just moved it block for block?

~~~
INTPenis
Accessing the data does not mean decrypting it. I'm just guessing here but
they probably had to rely on the client's password after they had access to
the data.

~~~
jakobegger
And presumably that no longer works, because only the T2 chip on the logic
board can decrypt the data. Dumping the raw contents of the SSD is now
pointless.

------
pmlnr
That's the cost of hw encryption and the reason why I'm using LUKS.

~~~
jacobush
How about LUKS on top of hardware encryption?

~~~
BuildTheRobots
> How about LUKS on top of hardware encryption?

I don't understand what you're trying to achieve or what you think the parent
was trying to achieve either.

Parent is saying they _don 't_ use hardware encryption because it makes
recovery impossible. With LUKS I can throw the disk into any PC that has a
port for it, boot from a linux USB and get my data.

If I'm using _both_ , then I get the worst of both worlds! It's slower and I'm
using more CPU, yet if the worst happens I still can't get my data back as the
hardware encryption still scuppers me.

------
tzahola
While I welcome the privacy implications of this, I don’t see why recovery
wouldn’t be possible if the T2 chip and the SSD is intact?

~~~
jakobegger
In that case, target disk mode presumably works and you don't need a special
recovery port?

~~~
dingo_bat
T2 and SSD can be intact and other stuff in the motherboard may be fried.
Would target mode work in that case?

~~~
jakobegger
I guess it depends on what exactly is "fried"? I assume that the CPU is needed
for target disk mode, but maybe a faulty GPU wouldn't matter?

But to be honest I have no idea -- I'm a software developer and I know very
little about hardware.

------
Krowbart
Another HN thread where valid complaints get downvoted. That’s why this is a
toxic board; we can’t have adult conversations here.

Most people want their data protected or recoverable. Most want a computer
with a variety of ports, specifically for our existing peripherals. Most don’t
care about a MILLIMETER of thickness, it’s not worth it.

Online syncing is not a solution to everything. Shame we can’t discuss the
issues here.

~~~
Lio
Of course we can discuss it but if you passionately throw around opinions like
"most people want" as if they were facts without reference to supporting
evidence then people will probably vote you down.

You're also making the strawman argument that removing the recovery port was
done to save millimetres of thickness and that's clearly false because the
2018 laptop is the same size as the 2016-2017 MacBook Pro which includes the
port.

For the record I'm not convinced by the current Apple lineup so I haven't
upgraded but that is a different discussion.

------
jezfromfuture
They can't on the 2015 , 2016 , 2107 macbook's either. Tbh Apple have gone
down the shitter in the last few years.

------
cbluth
I'll say that these are no longer "Pro" devices.

~~~
hrktb
Arguably losing data from the laptop is more of a consumer issue.

“Pro” users will be more inclined to have a workflow to mitigate hardware
failure.

~~~
IntelMiner
It should not be up to the user to mitigate flawed hardware design

~~~
jacobush
It looks like excellent design, encryption is working even against Apple as an
"attacker". Right?

~~~
WalterSear
It's a specious reason, and disengenous dissembly. There's nothing about
encryption that precludes low-level duplication.

This just something "you don't need" because they would rather shave another
millimeter of the width, for the larger and more lucrative fashion-focused
part of their customerbase.

~~~
adt2bt
What? This isn’t about the size of the laptop. The 2018 model is the same
size.

The T2 chip on the logic board contains the decryption key for the SSD.
Therefore, if the logic board breaks (and thus the T2), the data are
irrecoverable.

The design choice was either software encryption and data exfiltration port or
hardware encryption and no port. They chose to add hardware encryption, so no
port.

