Update at the bottom: Another team with a different cable that can hijack a Mac, among other devices.
The T2 Utilization Team, which found a way to take over the security chip on modern Macs, has shown a way to do it without user intervention – using nothing more than a modified USB-C cable.
The ad hoc team, which calls itself Team t8012 after Apple’s internal name on the chip, believes that nation states can already use this approach.
We recently reported that it could be done.
Speculation that the T2 security chip on modern Macs can be hacked has been confirmed by the team behind the research. A combination of two different utilities will give a hacker the ability to change the behavior of the chip, and even plant malicious software as a key logger in it.
All Macs sold since 2018 contain the T2 chip, and because the attack uses code in the read-only memory section of the chip, there is no way for Apple to patch it.
The attack involves the use of two exploits used to jailbreak the iPhone. The reason they can also be used on Macs is that the T2 security chip is based on the A10 chip used in older iPhones.
The team has now given a practical demonstration. A video shows how they connect a USB-C cable to a Mac and the control runs. The target computer goes to a black screen while the connected computer confirms that it was performed. Note that the connected computer only confirms the success of the operation – the attack is performed using more than one chip in the cable.
Another video shows that it succeeded by changing the Apple logo seen during startup.
The T2 utilization team is also working on demonstrating the installation of a keylogger.
Team t8012’s Rick Mark told me that his motivation for participating in T2 research was because he was convinced it was possible and perhaps already in use. While the need for physical access to the Mac means that it can only be used for highly targeted attacks, he suspects that nation states are using it, and potentially organized crime as well.
Mark says there is nothing Apple can do to prevent exploitation of existing T2 Macs, but the company can offer a tool to verify the machine’s integrity against checkm8 and mark a bug.
I suggested that Apple could solve the problem in future chips with some kind of encrypted commands that only allow DFU for devices with the correct codes, and he confirmed that this would work “but I think it again puts a lot of trust in them to do so is correct … without having any data that it would do so. ”
For example, Mark said, Apple has released six new Mac models since the checkm8 exploit became public, and then Apple should have known that the T2 chip was vulnerable.
One of the interesting things that emerges from the research is the way the Mac assigns functionality to USB-C ports.
One of the interesting questions is how the Macs share a USB port with both Intel CPU (macOS) and T2 (bridgeOS) for DFU. These are actually separate computers inside the case that share the same pins. Forms of MacBook leaked from Apple suppliers (a quick search with an item number and “schematic”), and analysis of the USB-C payload for firmware update show that there is a component on each port that has the task of both multiplexing (so that port to share) and end the USB power supply (USB-PD) for charging your MacBook or connected devices. Further analysis shows that this port is divided between the following:
- The Thunderbolt controller that allows the port to be used by macOS such as Thunderbolt, USB3 or DisplayPort
- T2 USB host for DFU recovery
- Different serial UART lines
- T2 troubleshooting pins
- Intel CPU debugging pins for troubleshooting EFI and the macOS kernel
Like the above documentation related to the iPhone, the troubleshooting fields for a Mac are only available if enabled via T2. Prior to the checkm8 error, this required a specially signed payload from Apple, which means that Apple has a skeleton key to troubleshoot all devices including manufacturing machines. Thanks to checkm8, any T2 can be degraded and the troubleshooting functionality can be activated.
You can read the blog post here. We have contacted Apple for comment and will update with all answers.
Update: This is not the same team or cable. I will never trust a USB-C cable unless I know where it comes from.
FTC: We use auto affiliate links. More.
Check out 9to5Mac on YouTube for more Apple news: