Security researcher Niels Hofmans of ironPeak has confirmed a T2 chip security flaw. These chips have been found in all new model Macs made since 2018.
At its worst, the vulnerability — which is reportedly “unpatchable” — could allow an attacker to interfere with Macs in “classic evil maid” attacks involving an unintended computer. This might open the door for new ways for law enforcement to access suspects’ Macs to retrieve information, for example.
“The attack requires combining two other exploits that were initially designed for jailbreaking iOS devices — namely Checkm8 and Blackbird. This works because of some shared hardware and software features between T2 chips and iPhones and their underlying hardware.
According to a post from Belgian security firm ironPeak, jailbreaking a T2 security chip involves connecting to a Mac/MacBook via USB-C and running version 0.11.0 of the Checkra1n jailbreaking software during the Mac’s boot-up process.
Per ironPeak, this works because “Apple left a debugging interface open in the T2 security chip shipping to customers, allowing anyone to enter Device Firmware Update (DFU) mode without authentication.”
Is this a risk to average users?
While any security flaw is bad news, this is unlikely to impact typical users. That’s because it requires someone to physically connect to a Mac using a USB-C cable. They would then have to reboot the device and run Checkra1n 0.11.0.
However, it’s still not great to hear that a person with access to the T2 chip could gain full root access and kernel execution privileges to a Mac. This could be used to, for instance, steal passwords by way of a key logger. For a chip that was created to add extra security for the Mac, that’s likely something Apple is not going to be too happy to hear about.
According to Niels Hofmans, this security vulnerability has been disclosed to Apple before, but it has yet to respond. This could be because Apple is working on a patched T2 chip for use in future Macs.
In the meantime, it’s a reminder to never let anyone plug an untrusted peripheral into your Mac. You never know what it could be delivering!