Apple's T2 Chip Has Unpatchable Security Flaw, Claims Researcher [Updated]

Intel Macs that use Apple's T2 Security Chip are vulnerable to an exploit that could allow a hacker to circumvent disk encryption, firmware passwords and the whole T2 security verification chain, according to team of software jailbreakers.

t2checkm8 1
Apple's custom-silicon T2 co-processor is present in newer Macs and handles encrypted storage and secure boot capabilities, as well as several other controller features. In a blog post, however, security researcher Niels Hofmans notes that because the chip is based on an A10 processor it's vulnerable to the same checkm8 exploit that is used to jailbreak iOS devices.

This vulnerability is reportedly able to hijack the boot process of the T2's SepOS operating system to gain access to the hardware. Normally the T2 chip exits with a fatal error if it is in Device Firmware Update (DFU) mode and it detects a decryption call, but by using another vulnerability developed by team Pangu, Hofmans claims it is possible for a hacker to circumvent this check and gain access to the T2 chip.

Once access is gained, the hacker has full root access and kernel execution privileges, although they can't directly decrypt files stored using FileVault 2 encryption. However, because the T2 chip manages keyboard access, the hacker could inject a keylogger and steal the password used for decryption.

According to Hofmans, the exploit can also bypass the remote device locking function (Activation Lock) that's used by services like MDM and FindMy. A firmware password won't help prevent this either because it requires keyboard access, which requires the T2 chip to run first.

For security reasons, SepOS is stored in the T2 chip’s read-only memory (ROM), but this also prevents the exploit from being patched by Apple with a software update. On the plus side, however, it also means the vulnerability isn't persistent, so it requires a "hardware insert or other attached component such as a malicious USB-C cable" to work.

Hofmans says he has reached out to Apple about the exploit but is still awaiting a response. In the meantime, average users can protect themselves by keeping their machines physically secure and by avoiding plugging in untrusted USB-C cables and devices.

Lastly, the researcher notes that upcoming Apple Silicon Macs use a different boot system, so it's possible that they won't be impacted by the vulnerability, although this is still being actively investigated.

Update: The original report incorrectly referred to Niels Hofmans as the cybersecurity expert who carried out the research. Hofmans is in fact an industry consultant who provided impact analysis of the T2 and checkm8. This has now been corrected.

Top Rated Comments

Bug-Creator Avatar
14 months ago

Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure.
How many exploits and hacks have we seen on Intel/AMD chips? How many on non-Apple ARM? How many on support chips (SSD-controllers, WIFI/4G-modems)?

How many in Win/Android vs macOS/iOS?

In the end nothing is ever gonna be 100% safe for ever, but so far Apple's track record is quite good.
Score: 107 Votes (Like | Disagree)
Kung gu Avatar
14 months ago

Another reason why Apple Silicon is a horrible idea. Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure. Get used to the Mac going from one of the most secure platforms out there to being ridden with horrible, unpatchable bugs and security exploits.

It's one thing when you can make the OS a walled garden, like with iOS. When you can control the software, you don't need to worry about the hardware being buggy. But unless we're going to have the Mac App Store be the only source for Mac apps, get used to having your computer pwned on a daily basis once Apple Silicon is a reality.
umm, have you seen or heard about intel exploits...
Score: 75 Votes (Like | Disagree)
twistedpixel8 Avatar
14 months ago

How many exploits and hacks have we seen on Intel/AMD chips? How many on non-Apple ARM? How many on support chips (SSD-controllers, WIFI/4G-modems)?

How many in Win/Android vs macOS/iOS?

In the end nothing is ever gonna be 100% safe for ever, but so far Apple's track record is quite good.
Well yes but on a chip whose sole purpose is security...? That’s not great is it.
Score: 36 Votes (Like | Disagree)
jclardy Avatar
14 months ago

Another reason why Apple Silicon is a horrible idea. Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure. Get used to the Mac going from one of the most secure platforms out there to being ridden with horrible, unpatchable bugs and security exploits.

It's one thing when you can make the OS a walled garden, like with iOS. When you can control the software, you don't need to worry about the hardware being buggy. But unless we're going to have the Mac App Store be the only source for Mac apps, get used to having your computer pwned on a daily basis once Apple Silicon is a reality.
I guess you already forgot about Meltdown and Spectre? Intel has been shipping vulnerable chips for years.
Score: 34 Votes (Like | Disagree)
Kung gu Avatar
14 months ago

Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure.
did u miss the part where I said this is fixed in the A12 and intel chips have even worse security issues..
Score: 28 Votes (Like | Disagree)
farewelwilliams Avatar
14 months ago

Another reason why Apple Silicon is a horrible idea. Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure. Get used to the Mac going from one of the most secure platforms out there to being ridden with horrible, unpatchable bugs and security exploits.

Patently false. Such a stupid comment. Apple sold over a billion iPhones (their core business) and you're saying they're not taking necessary steps to keep their chips secure? Sorry, but that's one of the most ridiculous things I've ever heard on this forum.
Score: 25 Votes (Like | Disagree)

Related Stories

t2checkm8 1

Apple's T2 Security Chip Vulnerable to Attack Via USB-C

Tuesday October 13, 2020 8:33 am PDT by
After it was reported last week that Apple's T2 Security Chip could be vulnerable to jailbreaking, the team behind the exploit have released an extensive report and demonstration. Apple's custom-silicon T2 co-processor is present in newer Macs and handles encrypted storage and secure boot capabilities, as well as several other controller features. It appears that since the chip is based on ...
apple security banner

macOS 11.3 Patches Security Vulnerability That Bypassed Built-In Malware Protections

Monday April 26, 2021 11:03 am PDT by
Apple today confirmed to TechCrunch that the just-released macOS 11.3 software update patches a security vulnerability that reportedly could have allowed a hacker to remotely access a user's sensitive data by tricking a user into opening a spoofed document. "All the user would need to do is double click — and no macOS prompts or warnings are generated," said security researcher Cedric...
iPhone 12 Security Feature

Many iOS Encryption Measures 'Unused,' Say Cryptographers

Thursday January 14, 2021 6:21 am PST by
iOS does not utilize built-in encryption measures as much as it could do, allowing for potentially unnecessary security vulnerabilities, according to cryptographers at Johns Hopkins University (via Wired). Using publicly available documentation from Apple and Google, law enforcement reports about bypassing mobile security features, and their own analysis, the cryptographers assessed the...
apple devices mac iphone ipad watch collage

Apple Updates Platform Security Guide, Says Kernel Extensions Won't Be Supported on Future Apple Silicon Macs

Thursday February 18, 2021 12:00 pm PST by
Apple today shared an updated version of its Platform Security Guide [PDF], providing a comprehensive overview of the latest security advancements across iOS 14, iPadOS 14, macOS Big Sur, tvOS 14, watchOS 7, and more. For example, the guide provides security details about Safari's optional Password Monitoring feature on iOS 14 and macOS Big Sur, which automatically keeps an eye out for any...
iOS 14

Apple Stops Signing iOS 14.4.1 After Releasing iOS 14.4.2 With Fix for Actively Exploited Security Vulnerability

Friday April 2, 2021 12:40 pm PDT by
Following the release of iOS 14.4.2 on March 26, Apple has stopped signing iOS 14.4.1, the previously available version of iOS 14. With iOS 14.4.1 no longer being signed, it is not possible to downgrade to iOS 14.4.1 from iOS 14.4.2 if you've already updated your iPhone or iPad. Apple routinely stops signing older versions of software updates after new releases come out in order to encourage ...
tsmc semiconductor chip inspection 678x452

Apple Supplier TSMC Says Global Chip Shortage Likely to Last into 2022

Thursday April 15, 2021 2:01 am PDT by
Apple supplier TSMC today said it is doing all it can to increase productivity and alleviate the worldwide chip shortage, but that tight supplies will likely continue into next year (via Reuters). The comments followed a reported 19.4% rise in the Taiwanese firm's first-quarter profit, which beat market expectations, thanks to strong chip demand and a global shift to home working. TSMC...
a13 bionic mockup

Apple Made Sudden Security Changes to its Chips in Fall 2020

Monday April 12, 2021 8:15 am PDT by
Apple made unusual mid-production hardware changes to the A12, A13, and S5 processors in its devices in the fall of 2020 to update the Secure Storage Component, according to Apple Support documents. According to an Apple Support page, spotted by Twitter user Andrew Pantyukhin, Apple changed the Secure Enclave in a number of products in the fall of 2020:Note: A12, A13, S4, and S5 products...
ipad pro display apple pencil

iOS 14.5 Beta 5 References Unreleased 'A14X' Chip Rumored for iPad Pro

Tuesday March 23, 2021 2:11 pm PDT by
Apple is rumored to have a new iPad Pro in the works that will feature an upgraded "A14X" chip, and signs of that upcoming chip have been found in the fifth iOS 14.5 beta that was released this morning. According to 9to5Mac, the beta mentions a GPU from a chip referred to as "13G," which does not correspond to the chips used by currently available iOS devices. Previous naming schemes...
m1 4nm feature2

Apple Orders 4nm Chip Production for Next-Generation Macs

Tuesday March 30, 2021 12:35 am PDT by
Apple has booked the initial production capacity of 4nm chips with long-time supplier TSMC for its next-generation Apple silicon, according to industry sources cited in a new report today from DigiTimes. From today's report: Apple has already booked the initial capacity of TSMC's N4 for its new-generation Mac series, the sources indicated. Apple has also contracted TSMC to make its...