Security researchers have confirmed speculation that the T2 security chip on modern Macs can be hacked. A combination of two different exploits would give a hacker the ability to modify the behavior of the chip, and even plant malware like a keylogger inside it.
All Macs sold since 2018 contain the T2 chip, and because the attack uses code in the read-only memory section of the chip, there is no way for Apple to patch it …
How the T2 security chip exploit works
ZDNet reports that the attack involves using two exploits used to jailbreak iPhones. The reason they can also be used on Macs is because the T2 security chip is based on the A10 chip used in older iPhones.
The attack requires combining two other exploits that were initially used for jailbreaking iOS devices — namely Checkm8 and Blackbird. This works because of some shared hardware and software features between T2 chips and iPhones and their underlying hardware.
According to a post from Belgian security firm ironPeak, jailbreaking a T2 security chip involves connecting to a Mac/MacBook via USB-C and running version 0.11.0 of the Checkra1n jailbreaking software during the Mac’s boot-up process.
Per ironPeak, this works because “Apple left a debugging interface open in the T2 security chip shipping to customers, allowing anyone to enter Device Firmware Update (DFU) mode without authentication.”
“Using this method, it is possible to create an USB-C cable that can automatically exploit your macOS device on boot,” ironPeak said.
This allows an attacker to get root access on the T2 chip and modify and take control of anything running on the targeted device, even recovering encrypted data […]
The danger regarding this new jailbreaking technique is pretty obvious. Any Mac or MacBook left unattended can be hacked by someone who can connect a USB-C cable, reboot the device, and then run Checkra1n 0.11.0.
The ironPeak blog post summarizes the position in stark terms.
TL;DR: all recent macOS devices are no longer safe to use if left alone, even if you have them powered down.
- The root of trust on macOS is inherently broken
- They can bruteforce your FileVault2 volume password
- They can alter your macOS installation
- They can load arbitrary kernel extensions
It says the firm decided to go public because Apple failed to respond, despite being contacted ‘on numerous occasions.’
The risk to ordinary users is very low
The good news is that this exploit would require physical access to your Mac. Ensuring that your Mac is never left unattended where someone could gain access is the best protection. As always, you should also never connect anything to your Mac – from a charging cable upwards – unless you trust the person or organization providing it.
Since the attack requires physical access, ideally more than once (for example, once to install a keylogger to obtain your password, and again to use the password to access your data), it is the sort of attack which is most likely to be employed by state actors and corporate espionage agents against worthwhile targets: senior company execs, diplomats and so on. The risk to the average Mac user is very low.
The blog post…