T2 chip vulnerability could let local attackers hack Macs

The Apple T2 chip could be the source of mysterious crashes afflicting two of Apple's newest computers.
Apple introduced its T2 chips to Mac a couple of years ago.

Security researcher Niels Hofmans of ironPeak has confirmed a T2 chip security flaw. These chips have been found in all new Macs made since 2018.

At its worst, the vulnerability — which is reportedly “unpatchable” — could allow an attacker to interfere with Macs in “classic evil maid” attacks involving an unintended computer. This might open the door for new ways for law enforcement to access suspects’ Macs to retrieve information, for example.

A report from ZDNet notes:

“The attack requires combining two other exploits that were initially designed for jailbreaking iOS devices — namely Checkm8 and Blackbird. This works because of some shared hardware and software features between T2 chips and iPhones and their underlying hardware.

According to a post from Belgian security firm ironPeak, jailbreaking a T2 security chip involves connecting to a Mac/MacBook via USB-C and running version 0.11.0 of the Checkra1n jailbreaking software during the Mac’s boot-up process.

Per ironPeak, this works because “Apple left a debugging interface open in the T2 security chip shipping to customers, allowing anyone to enter Device Firmware Update (DFU) mode without authentication.”

Is this a risk to average users?

While any security flaw is bad news, this is unlikely to impact typical users. That’s because it requires someone to physically connect to a Mac using a USB-C cable. They would then have to reboot the device and run Checkra1n 0.11.0.

However, it’s still not great to hear that a person with access to the T2 chip could gain full root access and kernel execution privileges on a Mac. This could be used to, for instance, steal passwords by way of a keylogger. For a chip that was created to add extra security to the Mac, that’s likely something Apple is not going to be too happy to hear about.

According to ironPeak’s Hofmans, this security vulnerability has been disclosed to Apple before, but the company has yet to respond. This could be because Apple is working on a patched T2 chip for use in future Macs.

In the meantime, it’s a reminder to never let anyone plug an untrusted peripheral into your Mac. You never know what it could be delivering!

Source: ironPeak