A report by security firm ironPeak this morning claims that the Apple-produced T2 chip found in the latest Macs may have an error that cannot be updated, leaving it vulnerable to arbitrary code execution. The exploit that was used to take advantage of the error is checkm8, a piece of code that was originally used to jailbreak iPhones, with which the T2 chip shares some common features:
The mini operating system on the T2 (SepOS) suffers from a security vulnerability that is also present in the iPhone 7 since it contains a processor based on iOS A10. Utilization of this type of processors to install homebrew software is very actively discussed in / r / jailbreak subreddit.
So using the checkm8 exploit that was originally created for iPhones, the checkra1n exploit was developed to build a semi-tethered exploit for the T2 security chip, and exploit a bug. This can be used for e.g. Bypassing activation locks so that stolen iPhones or macOS devices can be reset and sold on the black market.
Ok, this absolutely sounds bad. However, some in the infosec community have pushed back on the actual implications here, especially researcher Will Strafach (aka chronic).
Strafach says that T2 is actually vulnerable to checkm8, and has been for some time, which means that those with physical access to your computer can essentially restart it in device firmware upgrade mode (DFU), and then execute arbitrary code.
on the other hand, Strafach also points out that what is less clear is whether the arbitrary code will last through a reboot:
what is not proven: any kind of useful endurance. property lists on the data partition can be changed, which is not good, but there is no evidence yet that one can maintain unauthorized code through a complete and correct reboot.
– Will Strafach (@chronic) October 6, 2020
Which does not mean that there are no serious problems here, but more that the risk for the average user is still low. Even ironPeak even points out that full-disk encryption provided by FileVault 2 would prevent an intruder from immediately accessing your data.
As is often the case, the greatest risk for this vulnerability is for high-level hacks – ie those used by intelligence agencies to target specific personnel in governments or other organizations; it is unlikely that the average user will encounter such a scenario. But the error remains, and the read-only character of the T2 chip means that this is not something Apple can fix with a software update. (However, a new chip – such as a T3 – may very well contain changes to correct for this error.)
Apple has so far been silent about the error. The researchers at ironPeak claim that they reached out to Apple for clarification and received no response, and therefore decided to go public with the information they had.
I have contacted Apple for comment, but have not yet heard anything about it.[[[[And the Mother is the official Dan of Six Colors. You can find him on Twitter at @dmoren or reach him via email at firstname.lastname@example.org. His latest novel, The Aleph Extraction, is out now and available in fine bookstores everywhere, so be sure to pick up a copy.]
If you appreciate articles like this, you can support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories and a special community.