Apple's T2 Chip Has Unpatchable Security Flaw, Claims Researcher [Updated]

Intel Macs that use Apple's T2 Security Chip are vulnerable to an exploit that could allow a hacker to circumvent disk encryption, firmware passwords and the whole T2 security verification chain, according to team of software jailbreakers.

t2checkm8 1
Apple's custom-silicon T2 co-processor is present in newer Macs and handles encrypted storage and secure boot capabilities, as well as several other controller features. In a blog post, however, security researcher Niels Hofmans notes that because the chip is based on an A10 processor it's vulnerable to the same checkm8 exploit that is used to jailbreak iOS devices.

This vulnerability is reportedly able to hijack the boot process of the T2's SepOS operating system to gain access to the hardware. Normally the T2 chip exits with a fatal error if it is in Device Firmware Update (DFU) mode and it detects a decryption call, but by using another vulnerability developed by team Pangu, Hofmans claims it is possible for a hacker to circumvent this check and gain access to the T2 chip.

Once access is gained, the hacker has full root access and kernel execution privileges, although they can't directly decrypt files stored using FileVault 2 encryption. However, because the T2 chip manages keyboard access, the hacker could inject a keylogger and steal the password used for decryption.

According to Hofmans, the exploit can also bypass the remote device locking function (Activation Lock) that's used by services like MDM and FindMy. A firmware password won't help prevent this either because it requires keyboard access, which requires the T2 chip to run first.

For security reasons, SepOS is stored in the T2 chip’s read-only memory (ROM), but this also prevents the exploit from being patched by Apple with a software update. On the plus side, however, it also means the vulnerability isn't persistent, so it requires a "hardware insert or other attached component such as a malicious USB-C cable" to work.

Hofmans says he has reached out to Apple about the exploit but is still awaiting a response. In the meantime, average users can protect themselves by keeping their machines physically secure and by avoiding plugging in untrusted USB-C cables and devices.

Lastly, the researcher notes that upcoming Apple Silicon Macs use a different boot system, so it's possible that they won't be impacted by the vulnerability, although this is still being actively investigated.

Update: The original report incorrectly referred to Niels Hofmans as the cybersecurity expert who carried out the research. Hofmans is in fact an industry consultant who provided impact analysis of the T2 and checkm8. This has now been corrected.

Popular Stories

iPhone SE 4 Vertical Camera Feature

iPhone SE 4 Rumored to Use Same Rear Chassis as iPhone 16

Friday July 19, 2024 7:16 am PDT by
Apple will adopt the same rear chassis manufacturing process for the iPhone SE 4 that it is using for the upcoming standard iPhone 16, claims a new rumor coming out of China. According to the Weibo-based leaker "Fixed Focus Digital," the backplate manufacturing process for the iPhone SE 4 is "exactly the same" as the standard model in Apple's upcoming iPhone 16 lineup, which is expected to...
iPhone 16 Pro Sizes Feature

iPhone 16 Series Is Just Two Months Away: Everything We Know

Monday July 15, 2024 4:44 am PDT by
Apple typically releases its new iPhone series around mid-September, which means we are about two months out from the launch of the iPhone 16. Like the iPhone 15 series, this year's lineup is expected to stick with four models – iPhone 16, iPhone 16 Plus, iPhone 16 Pro, and iPhone 16 Pro Max – although there are plenty of design differences and new features to take into account. To bring ...
iphone 14 lineup

Cellebrite Unable to Unlock iPhones on iOS 17.4 or Later, Leak Reveals

Thursday July 18, 2024 4:18 am PDT by
Israel-based mobile forensics company Cellebrite is unable to unlock iPhones running iOS 17.4 or later, according to leaked documents verified by 404 Media. The documents provide a rare glimpse into the capabilities of the company's mobile forensics tools and highlight the ongoing security improvements in Apple's latest devices. The leaked "Cellebrite iOS Support Matrix" obtained by 404 Media...
tinypod apple watch

TinyPod Turns Your Apple Watch Into an iPod

Wednesday July 17, 2024 3:18 pm PDT by
If you have an old Apple Watch and you're not sure what to do with it, a new product called TinyPod might be the answer. Priced at $79, the TinyPod is a silicone case with a built-in scroll wheel that houses the Apple Watch chassis. When an Apple Watch is placed inside the TinyPod, the click wheel on the case is able to be used to scroll through the Apple Watch interface. The feature works...
bsod

Crowdstrike Says Global IT Outage Impacting Windows PCs, But Mac and Linux Hosts Not Affected

Friday July 19, 2024 3:12 am PDT by
A widespread system failure is currently affecting numerous Windows devices globally, causing critical boot failures across various industries, including banks, rail networks, airlines, retailers, broadcasters, healthcare, and many more sectors. The issue, manifesting as a Blue Screen of Death (BSOD), is preventing computers from starting up properly and forcing them into continuous recovery...
New MacBook Pros Launching Tomorrow With These 4 New Features 2

M5 MacBook Models to Use New Compact Camera Module in 2025

Wednesday July 17, 2024 2:58 am PDT by
Apple in 2025 will take on a new compact camera module (CCM) supplier for future MacBook models powered by its next-generation M5 chip, according to Apple analyst Ming-Chi Kuo. Writing in his latest investor note on unny-opticals-2025-business-momentum-to-benefit-509819818c2a">Medium, Kuo said Apple will turn to Sunny Optical for the CCM in its M5 MacBooks. The Chinese optical lens company...

Top Rated Comments

Bug-Creator Avatar
50 months ago

Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure.
How many exploits and hacks have we seen on Intel/AMD chips? How many on non-Apple ARM? How many on support chips (SSD-controllers, WIFI/4G-modems)?

How many in Win/Android vs macOS/iOS?

In the end nothing is ever gonna be 100% safe for ever, but so far Apple's track record is quite good.
Score: 107 Votes (Like | Disagree)
Kung gu Avatar
50 months ago

Another reason why Apple Silicon is a horrible idea. Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure. Get used to the Mac going from one of the most secure platforms out there to being ridden with horrible, unpatchable bugs and security exploits.

It's one thing when you can make the OS a walled garden, like with iOS. When you can control the software, you don't need to worry about the hardware being buggy. But unless we're going to have the Mac App Store be the only source for Mac apps, get used to having your computer pwned on a daily basis once Apple Silicon is a reality.
umm, have you seen or heard about intel exploits...
Score: 75 Votes (Like | Disagree)
twistedpixel8 Avatar
50 months ago

How many exploits and hacks have we seen on Intel/AMD chips? How many on non-Apple ARM? How many on support chips (SSD-controllers, WIFI/4G-modems)?

How many in Win/Android vs macOS/iOS?

In the end nothing is ever gonna be 100% safe for ever, but so far Apple's track record is quite good.
Well yes but on a chip whose sole purpose is security...? That’s not great is it.
Score: 36 Votes (Like | Disagree)
jclardy Avatar
50 months ago

Another reason why Apple Silicon is a horrible idea. Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure. Get used to the Mac going from one of the most secure platforms out there to being ridden with horrible, unpatchable bugs and security exploits.

It's one thing when you can make the OS a walled garden, like with iOS. When you can control the software, you don't need to worry about the hardware being buggy. But unless we're going to have the Mac App Store be the only source for Mac apps, get used to having your computer pwned on a daily basis once Apple Silicon is a reality.
I guess you already forgot about Meltdown and Spectre? Intel has been shipping vulnerable chips for years.
Score: 34 Votes (Like | Disagree)
Kung gu Avatar
50 months ago

Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure.
did u miss the part where I said this is fixed in the A12 and intel chips have even worse security issues..
Score: 28 Votes (Like | Disagree)
farewelwilliams Avatar
50 months ago

Another reason why Apple Silicon is a horrible idea. Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure. Get used to the Mac going from one of the most secure platforms out there to being ridden with horrible, unpatchable bugs and security exploits.

Patently false. Such a stupid comment. Apple sold over a billion iPhones (their core business) and you're saying they're not taking necessary steps to keep their chips secure? Sorry, but that's one of the most ridiculous things I've ever heard on this forum.
Score: 25 Votes (Like | Disagree)