Security researchers have discovered two exploits to hack Apple’s T2 Chip in order to jailbreak Macs running on the processor. By combining the iPhone’s checkm8 exploit with Blackbird vulnerability, hackers can jailbreak MacBooks and Macs with the T2 security chip.
Over the past few weeks, various sources shared the security vulnerability of the chip on social media like Twitter and Reddit. Recently, experts tested and confirmed the security exploit. The process is rather complex and requires physical access to the device to initiate the breach.
Introduced in 2018, the Apple T2 Security Chip is the company’s second-generation custom silicon for the Mac line-up. The chip includes an enclave co-processor to enable secure Touch Id data, encrypted storage, and boot capabilities.
Apple’s T2 Chip Security Vulnerability
It is reported that the successful exploit will enable hackers to take complete control of the jailbroken device and they can easily make changes to the core operating system’s operations. It is worrisome because unauthorized access can result in a breach of users’ confidential data and plant malware.
Another gem of the 0.11 release: support for the T2 / bridgeOS https://t.co/3WaYWup954
— Rick Mark (@su_rickmark) September 22, 2020
Hacker News talking about @checkra1n jailbreak for Apple T2 chip.
Don't worry: While we do have a permanent jailbreak for Apple T2 chip, these Macs are actually no less secure than older Macs without Apple T2 chip. There is no reason to get an older Mac.https://t.co/dbjpJpQpA8 pic.twitter.com/sDj3nhTBea
— ax🔥🌸mX (@axi0mX) September 30, 2020
ironPeak explains how the debugging vulnerability works,
“Apple left a debugging interface open in the T2 security chip shipping to customers, allowing anyone to enter Device Firmware Update (DFU) mode without authentication.
Connecting to target via SWD
Found SW-DP with ID 0x4BA02477 pic.twitter.com/ByfbosOXCx
— h0m3us3r (@h0m3us3r) July 7, 2020
The blog posts explain the far-reaching impact of the security breach,
“Once you have access on the T2, you have full
rootaccess and kernel execution privileges since the kernel is rewritten before execution. Good news is that if you are using FileVault2 as disk encryption, they do not have access to your data on disk immediately. They can however inject a keylogger in the T2 firmware since it manages keyboard access, storing your password for retrieval or transmitting it in the case of a malicious hardware attachment.
The functionality of locking an Apple device remotely (e.g. via MDM or FindMy) can be bypassed (Activation Lock).
A firmware password does not mitigate this issue since it requires keyboard access, and thus needs the T2 chip to run first.
Any kernel extension could be whitelisted since the T2 chip decides which one to load during boot.
If the attack is able to alter your hardware (or sneak in a malicious USB-C cable), it would be possible to achieve a semi-tethered exploit.
While this may not sound as frightening, be aware that this is a perfectly possible attack scenario for state actors. I have sources that say more news is on the way in the upcoming weeks.”
As this is a hardware vulnerability, experts claim that it is unpatchable and can only be resolved via a hardware replacement. Therefore, the upcoming Apple Silicon Mac might not be affected by the exploits. For the Mac users are advised to not connect any suspicious external device via the USB-C port. The following devices are vulnerable to the security flaw in the T2 chip:
- iMac – 2020
- iMac Pro
- Mac Pro – 2019
- Mac mini – 2018
- MacBook Air – 2018 or later
- MacBook Pro – 2018 or later