A recently released the tool allows anyone to exploit an unusual Mac vulnerability to bypass Apple̵
In general, the jailbreak community has not put as much emphasis on macOS and OS X as iOS, because they do not have the same limitations and fenced-in gardens that are built into Apple’s mobile ecosystem. But the T2 chip, launched in 2017, created some limitations and mysteries. Apple added the chip as a reliable mechanism to ensure high-quality features such as encrypted data storage, Touch ID and Activation Lock, which work with Apple’s “Find Mine” services. But the T2 also contains a vulnerability, known as Checkm8, which jailbreakers have already exploited in Apple’s A5 through the A11 (2011 to 2017) mobile chipsets. Now Checkra1n, the same group that developed the tool for iOS, has released support for T2 bypass.
On Macs, jailbreak allows researchers to examine the T2 chip and explore its security features. It can even be used to run Linux on T2 or play Doom on a MacBook Pro’s Touch Bar. Jailbreak can also be armed by malicious hackers, to disable macOS security features such as System Integrity Protection and Secure Boot and install malicious software. Combined with another T2 vulnerability released in July by Chinese security research and jailbreaking group Pangu Team, jailbreak could also potentially be used to obtain FileVault encryption keys and to decrypt user data. Vulnerability could not be updated because the error is low-level, unchangeable hardware code.
“The T2 is meant to be this little secure black box on Macs – a computer inside your computer, which handles things like Lost Mode enforcement, integrity checking and other privileged tasks,” says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. “So the implication is that this piece would be harder to compromise – but now it’s done.”
Apple did not respond to WIRED’s request for comment.
However, there are some important limitations of jailbreak that prevent this from being a full-fledged security crisis. The first is that an attacker needs physical access to target devices to exploit them. The tool can only run on another device via USB. This means that hackers cannot mass-infect every Mac that has a T2 chip remotely. An attacker can jailbreak a target device and then disappear, but the compromise is not “persistent”; it ends when the T2 chip is restarted. However, the Checkra1n researchers were careful not to restart the T2 chip itself every time the device does so. To make sure that a Mac has not been compromised by jailbreak, the T2 chip must be restored to Apple’s default settings. Finally, jailbreak does not give an attacker instant access to the target’s encrypted data. It can allow hackers to install key loggers or other malicious software that can later obtain the decryption keys, or it can make it easier to toughen them, but Checkra1n is not a silver bullet.
“There are many other vulnerabilities, including remote ones, that undoubtedly have a greater impact on security,” a Checkra1n team member tweeted on Tuesday.
In a discussion with WIRED, the Checkra1n researchers added that they see jailbreak as a necessary tool for transparency about T2. “It’s a unique chip, and it’s different from iPhones, so having open access is useful for understanding it on a deeper level,” said one team member. “It was a complete black box before, and we can now look at it and find out how it works for security research.”
The utilization also comes as a little surprise; It has been clear since the original Checkm8 discovery last year that the T2 chip was also vulnerable in the same way. And researchers point out that while the T2 chip debuted in 2017 in top-rated iMacs, it only recently rolled across the entire Mac line. Older Macs with T1 chip are not affected. However, the finding is important because it undermines a crucial security feature on newer Macs.
Jailbreaking has long been a gray area due to this tension. It gives users the freedom to install and change whatever they want on their devices, but it’s achieved by exploiting vulnerabilities in Apple’s code. Hobbyists and researchers use prison breaches in constructive ways, including to perform more security testing and potentially help Apple fix more bugs, but there is always the chance that attackers can mount prison breaks for damage.
“I had already assumed that since T2 was vulnerable to Checkm8, it was cheers,” said Patrick Wardle, an Apple security researcher at corporate firm Jamf and a former NSA researcher. “There’s really not much Apple can do to fix it. It’s not the end of the world, but this chip, which should provide all this extra security, is now quite a lot.”
Wardle points out that for companies that manage their devices using Apple’s Activation Lock and Find My features, jailbreaking can be particularly problematic both in terms of possible device theft and other insider threats. And he notes that the jailbreak tool can be a valuable starting point for attackers who want to take a shortcut to developing potentially powerful attacks. “You will probably be able to arm this and create a beautiful in-memory implant that by design disappears at reboot,” he says. This means that malware will run without leaving traces on the hard drive, and it will be difficult for victims to track down.
However, the situation raises much deeper issues with the basic approach of using a special, reliable chip to secure other processes. In addition to Apple’s T2, many other technology vendors have tried this approach and defeated their secure enclaves, including Intel, Cisco and Samsung.
“Always a double-edged sword”
“Building hardware security mechanisms is just always a double-edged sword,” said Ang Cui, founder of the built-in security firm Red Balloon. “If an attacker is able to own the secure hardware mechanism, the defender usually loses more than they would have if they had not built any hardware. It’s a smart design in theory, but in the real world it usually pays off.”
In this case, you probably need to be a very high target to register a real alarm. However, hardware-based security measures create a single point of error on which the most important data and systems depend. Although Checkra1n jailbreak does not provide unrestricted access for attackers, it does give them more than anyone would want.
This story originally appeared on wired.com.