A security researcher claims to have figured out how to break the T2 security chip on modern Intel-based Macs using a pair of exploits developed to jailbreak older phones. Apple has not commented on these claims.
What the research claims
The claim seems to be that because the T2 chip is based on the older A10 series Apple processor, it is possible to use two jailbreak tools (Checkm8 and Blackbird) to modify the behavior of T2, or even install malware to the chip.
It’s not an easy hack: Not only must an attacker have local access to the Mac, but they must connect to the target Mac using a non-standard “debugging” USB-C cable and run a version of a jailbreaking software package during startup.
It’s also important to note that not all Macs are vulnerable to this claimed attack. Apple Silicon Macs may not be impacted, while those running more recent iterations of the chip are not impacted.
Finally, if you are using FileVault to encrypt your Mac, attackers won’t have access to the data held there, though they may try installing malware.
Why this works
A post from a Belgian security researcher tells us this works because:
- It uses a debugging interface Apple keeps on the T2.
- This enables use of Device Firmware Update (DFU) mode without authentication.
- It is possible to use these tools to “Create an USB-C cable that can automatically exploit your macOS device on boot.”
- The attack lets attackers gain root access to the T2 chip to modify and take control of what’s running on the Mac, including gaining access to encrypted data.
- The nature of this is explained in a more extensive post here.
The researcher claims this means a hacker armed with this exploit who gains physical access to a Mac can break into the system, access files, alter macOS and even load arbitrary kexts. The vulnerability cannot be performed remotely, says the researcher, who claims to have gone public with the news because Apple failed to respond when informed of the flaw.
What makes these claims a little more convincing is that the developers of a soon-to-be-announced data recovery tool claim to have found a way in which they can sometimes scan and extract data from devices protected by the T2 encryption chip.
What does the T2 chip do?
The T2 kicks in when you launch your Mac and the Apple logo appears. It acts as the root of trust and validates the entire boot process, checking security components and verifying legitimacy as it does.
The best way to see the T2 is that it is a gatekeeper designed to maximize hardware and software security. This is why the identification of such a vulnerability may be a problem.
The chip uses Apple’s Security Enclave to handle your device’s encryption keys, biometric ID, and secure boot processes. It also integrates controllers such as the system management controller, image signal processor, audio controller, and SSD controller. Apple published a white paper in 2018 describing how the T2 chip works; the white paper is available here.
“The features of the Apple T2 Security Chip are made possible by the combination of silicon design, hardware, software, and services available only from Apple. These capabilities combine to provide unrivalled privacy and security features never before present on Mac,” Apple has said.
Who should be wary?
There doesn’t seem to be any need for widespread panic. The complex nature of this vulnerability suggests it is unlikely to be a problem for the vast majority of Mac users, particularly as it requires physical access to the machine.
It may however be a cause for concern among users handling highly confidential information that ordinarily see themselves as potential targets for criminals or state actors.
What can you do?
At present, the best advice for any Mac user is to avoid leaving your Mac unattended and to avoid using a USB-C cable with your computer unless you are confident you know where it has been. It may also be of help to reset the system management chip (SMC) on your Mac.
It also makes sense to enable FileVault encryption on the machine.
What will Apple do?
The researcher claims Apple is unlikely to be able to protect against this vulnerability with a software patch, Apple hasn’t confirmed or denied that claim, nor has it said anything regarding the claimed vulnerability at time of writing.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.
Copyright © 2020 IDG Communications, Inc.