Security researchers have confirmed speculation that the T2 security chip on modern Macs could be hacked. A combination of two different exploits will allow a hacker to change the behavior of the chip, and even plant malicious software such as a keylogger in it.
All Macs sold since 2018 contain the T2 chip, and because the attack uses code in the read-only memory section of the chip, there is no way for Apple to patch it …
This is how the T2 security chip works
ZDNet reports that the attack involves the use of two exploits used to jailbreak iPhones. The reason they can also be used on Macs is that the T2 security chip is based on the A1
The attack requires a combination of two other exploits that were originally used for jailbreaking iOS devices – namely Checkm8 and Blackbird. This works due to some shared hardware and software features between T2 chips and iPhones and their underlying hardware.
According to a post from the Belgian security company ironPeak, jailbreaking a T2 security chip involves connecting to a Mac / MacBook via USB-C and running version 0.11.0 of the Checkra1n jailbreaking software during the Mac startup process.
Per ironPeak, this works because “Apple left a debugging interface open in the T2 security chip that was sent to customers so that anyone could enter Device Firmware Update (DFU) mode without authorization.”
“Using this method, it is possible to create a USB-C cable that can automatically utilize your macOS device at startup,” said ironPeak.
This allows an attacker to gain root access on the T2 chip and change and take control of everything running on the targeted device, even recovering encrypted data. […]
The danger of this new jailbreaking technique is quite obvious. Any Mac or MacBook left unattended can be hacked by someone who can connect a USB-C cable, restart the device and then run Checkra1n 0.11.0.
The IronPeak blog post summarizes the position in strong terms.
TL; DR: All recent macOS devices are no longer safe to use if left alone, even if you have them turned off.
- The root of trust in macOS is inherently broken
- They may corrupt your FileVault2 volume password
- They can modify your MacOS installation
- They can load arbitrary core extensions
It says the company decided to go public because Apple did not respond, despite being contacted “on several occasions.”
The risk for regular users is very low
The good news is that this exploit will require physical access to your Mac. Ensuring that your Mac is never left unattended where anyone can access it is the best protection. As always, never connect anything to your Mac – from a charging cable upwards – unless you trust the person or organization that delivers it.
Since the attack requires physical access, ideally more than once (for example, once to install a key logger to get your password, and again to use the password to access your data), it is the type of attack that most likely to be used by government actors and corporate espionage agents against valuable targets: senior business executives, diplomats and so on. The risk for the average Mac user is very low.
The blog post speculates that Apple will probably make a new revision of the T2 chip based on the A12 for Apple Silicon Macs, so these will almost certainly be safe for use.
We got an interesting look at all the work the T2 chip did in 2018, and a security document from Apple described the benefits of the chip.
FTC: We use auto affiliate links. More.
Check out 9to5Mac on YouTube for more Apple news: