If you have a castle with nuclear walls and a mile deep moat … well, just fly a helicopter in, or wait for someone there to do a DoorDash.
Or … let sloppy engineering do the work for you, as in this case – it’s a brain death screwed up by Apple.
The acclaimed Apple T2 chip on systems with an Intel process and the Apple T2 chip can apparently be anchored in a relatively straightforward attack, child’s play for a state actor, and perhaps for any good hacker. All you have to do is get someone to connect a USB-C cable or flash drive or whatever.
Let’s talk about the thing no one is talking about. Let’s talk about one vulnerability that completely exposes your macOS devices while most refuse to act or report on the matter. Oh, and I said that upatchable?
Intel vs Silicon
This blog post only applies to macOS systems with one Intel processor and the built-in T2 security chip. Apple silicon systems will run entirely on a set of Apple-designed ARM processors and will thus use a different topology based on e.g. The A12 chip. Since the A12 chip seems to have solved this problem (to be confirmed), it is likely that the new Apple Silicon machines will not be vulnerable. And while the new upcoming Intel Macs at the end of the year are likely to receive a new hardware version of the T2 chip (eg Based on A12), we are still fixed this vulnerability on Mac between 2018 and 2020.
Apple left a troubleshooting interface open in the T2 security chip that was sent to customers, so that anyone can enter Device Firmware Update (DFU) mode without authorization … Using this method, possible to create a USB-C cable that can automatically utilize your macOS device at startup. (!)
When you have access to T2, you have it full root access and kernel drive privileges since the kernel is rewritten before runtime. The good news is that if you use FileVault2 as disk encryption, they will not have access to your data on disk immediately. However, they can inject a key logger into the T2 firmware since it manages keyboard access, stores your password for retrieval or transfer in the event of a malicious hardware party.
• The functionality of locking an Apple device remotely (eg Via MDM or FindMy) can be bypassed (Activation lock).
A firmware password does not alleviate this problem, as it requires access to the keyboard, and thus needs the T2 chip to run first.
• Any core extension can be approved since the T2 chip determines which one to load during startup.
• If the attack is able to modify your hardware (or sneak in a malicious USB-C cable), it will be possible to achieve a semi-tethered exploitation.
While this may not sound scary, keep in mind that this is a perfect fit possible attack scenario for state actors. I have sources who say that more news is on the way in the coming weeks. I quote: be afraid, be very afraid.
I have contacted Apple about this issue on several occasions, even making the dreaded cc firstname.lastname@example.org to get some exposure. Since I did not receive a response for several weeks, I did the same to many news sites that cover Apple, but no response there as well. In the hope of raising awareness (and an official response from Apple), I hereby reveal almost all the details. You can claim that I do not follow responsible disclosure, but since this problem has been known since 2019, I think it’s quite clear Apple does not plan to release and quietly develop a (hopefully) patched T2 in the newer Macs and silicon.
MPG: Why does Apple not comment or respond?