This is the latest (as on 30 August 21) on safety net.
What are the changes in Magisk?

John Wu (Magisk Developer) posted updates today, which clarifies the reasons.

Earlier, SafetyNet API wasn't fully / correctly implemented, the way it was meant to be :

• Key Attestation

From what we've seen so far, key attestation doesn't seem to be fully enforced yet, as devices with incompatible, potentially buggy(?) keymaster implementations (e.g. some OnePlus devices) that result in attest key cmd failures still pass SafetyNet regardless.

• Attestation was done locally

bootloader reports the device status via kernel cmdlines, and init will reflect them in properties, and apparently SafetyNet was using those values. All those stuff is in userspace, so Magisk can simply manipulate it

Now, with the Feature Preview: SafetyNet Attestation API evaluationType, there will be two types of evaluation, BASIC and HARDWARE_BACKED for a complete evaluation with remote validation (as against local) :

HARDWARE_BACKED - When we use the available hardware-backed security features of the remote device (e.g. hardware-backed key attestation) to influence our evaluation.

We’re currently evaluating and adjusting the eligibility criteria for devices where we will rely on hardware-backed security features.

Can this new system be hacked?

Looks very unlikely

• Even if we force validation to use BASIC method, it won't be hidden

IMO it is theoretically possible to alter control flow in SafetyNet's code to force it to always use BASIC evaluation by using some hooking framework like Xposed, however these kind of code injection is basically impossible to hide (memory space analysis).

• HARDWARE_BACKED is serious stuff and unlikely to be cracked since it involves TEE or hardware changes leading to cryptographic compromise (Robert also pointed out in comments)

To hack this thing, you have to either find a vulnerability in TEE firmware (which will be patched ASAP once found) or hardware (less likely to happen) to break the cryptography.

Breaking TEE won't be easy, which is why many security researchers are actively working on it.

(Emphasis added in all quotes)

How to check if Google has implemented hardware Attestation for my device?

Edit Magisk canary has been updated to show evaluation status and once the API is implemented, you will see more details (failing SafetyNet). Or, follow instructions on this XDA post to check attestation method using logcat

For more information see SafetyNet's hardware attestation will make hiding root in Magisk really hard

Edited on 16 December 20

And the final nail in the coffin for fooling safety net detection

Johnwu in

• tweet says

HW based evaluation is impractical to "hack" (except tricks to make it fallback to basic), and I lost all interest in improving the current way of hiding.

• Another tweet of 13 Dec 2020

If passing SafetyNet is the only use of Magisk for you, then yeah, bye Face with rolling eyes
( in response to So... magisk is completely useless right now?...)