Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

mauricev

macrumors member
Original poster
Oct 10, 2002
41
4
Earth
I have a user with a new Mac laptop running 11.2.3 and suddenly his fingerprint disappeared from System Preferences, his password changed or was deleted, and his wifi profile in System Preferences -> Profiles became unsigned and therefore no longer usable.

I was able to resurrect him by using recovery mode, but we are left baffled as how all this data got damaged/deleted spontaneously.
 

SecuritySteve

macrumors 6502a
Jul 6, 2017
951
1,085
California
M1, or intel chip?

I suspect you have an intel laptop, because my theory is that somehow the T2 chip (which handles cryptographic signing of certificates, including wifi profiles, passwords, and fingerprints) malfunctioned in its crypto store and resulted in all of the symptoms you have described. It only takes 1 bit to be off in that store to throw everything off, and it is susceptible to cosmic rays and random external influences you have no control over.
 
  • Like
Reactions: mauricev

HDFan

Contributor
Jun 30, 2007
7,302
3,349
I suspect you have an intel laptop, because my theory is that somehow the T2 chip (which handles cryptographic signing of certificates, including wifi profiles, passwords, and fingerprints) malfunctioned in its crypto store and resulted in all of the symptoms you have described.

Doesn't the T2 also handle the encryption of the bootdrive? If so, if it somehow got corrupted wouldn't the key be lost and the data on the drive be inaccessible?
 

SecuritySteve

macrumors 6502a
Jul 6, 2017
951
1,085
California
Doesn't the T2 also handle the encryption of the bootdrive? If so, if it somehow got corrupted wouldn't the key be lost and the data on the drive be inaccessible?
It does. However just because a drive is encrypted doesn't mean you can't mount it for reading (albeit reading gibberish). The description of the problem symptoms however indicate that the volume was already mounted and decrypted.

The answer might also be in the file storage system of APFS. As I understand it, all of the OS files are locked away under a different partition to prevent local root breaches from modifying system files in the event of a rootkit exploit chain. The OS files might not be encrypted, whereas your Data partition which contains all of your user profiles and data might not be and vice versa.

Ultimately there's a myriad of ways this could go wrong and present itself.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.