Apple's T2 Security Chip Vulnerable to Attack Via USB-C

After it was reported last week that Apple's T2 Security Chip could be vulnerable to jailbreaking, the team behind the exploit have released an extensive report and demonstration.

t2checkm8 1

Apple's custom-silicon T2 co-processor is present in newer Macs and handles encrypted storage and secure boot capabilities, as well as several other controller features. It appears that since the chip is based on an Apple A10 processor, it is vulnerable to the same "checkm8" exploit that has been used to jailbreak iOS devices.

The vulnerability allows for the hijacking of the T2's boot process to gain access to the hardware. Normally the T2 chip exits with a fatal error if it is in Device Firmware Update (DFU) mode and it detects a decryption call, but by using another vulnerability developed by team Pangu, it is possible for a hacker to circumvent this check and gain access to the T2 chip.

Once access is gained, the hacker has full root access and kernel execution privileges, although they cannot directly decrypt files stored using FileVault 2 encryption. However, because the T2 chip manages keyboard access, the hacker could inject a keylogger and steal the password used for decryption. It can also bypass the remote Activation Lock used by services such as MDM and Find My. A firmware password does not prevent this since it too requires keyboard access, which requires the T2 chip to run first.

The exploit can be achieved without user interaction and simply requires a modified USB-C cable to be inserted. By creating a specialized device "about the size of a power charger," an attacker can place a T2 chip into DFU mode, run the "checkra1n" exploit, upload a key logger, and capture all keys. macOS can be left unaltered by the jailbreak, but all keys can still be logged on Mac laptops. This is because MacBook keyboards are directly connected to the T2 and passed through to macOS.

A practical demonstration shows checkra1n being run over USB-C from a host device. The targeted Mac simply displays a black screen while the connected computer confirms that the exploit was successful.

These cables function by allowing access to special debug pins within a USB-C port for the CPU and other chips that are usually only used by Apple.

Apple has not fixed the security flaw and it appears to be unpatchable. For security purposes, the T2's SepOS custom operating system is stored directly in the chip's SEPROM, but this also prevents the exploit from being patched by Apple via a software update.

In the meantime, users can protect themselves from the exploit by keeping their Macs physically secure and avoiding the insertion of untrusted USB-C cables and devices.

Top Rated Comments

ElRojito Avatar
19 weeks ago

So much for a chip that's supposed to be all about security.
We all know the first priority was thwarting third party repair attempts. Working at the Genius Bar, the T2 chip was the biggest pain in my ass.
Score: 35 Votes (Like | Disagree)
otternonsense Avatar
19 weeks ago
So much for a chip that's supposed to be all about security.
Score: 27 Votes (Like | Disagree)
ruka.snow Avatar
19 weeks ago

And what are we gonna do until then? If this is an unfixable, unpatchable possible exploit, isn't it grounds for a mass product recall?
How do you pull mass product recall out of an exploit that needs direct access to the hardware? There will always be exploits in hardware and software. Next up you'll be calling for a class action nonsense.
Score: 13 Votes (Like | Disagree)
djcerla Avatar
19 weeks ago
There’s no such thing as a “secure” chip.

With enough time and effort, everything is hackable.
Score: 10 Votes (Like | Disagree)
Elijen Avatar
19 weeks ago

There’s no such thing as a “secure” chip.

With enough time and effort, everything is hackable.
In cryptography secure system does not mean unhackable. It means the time needed to hack it is reasonably high (e.g. millions of years).
Score: 9 Votes (Like | Disagree)
otternonsense Avatar
19 weeks ago

Apple Silicon Macs will not need T2 (or T3) chips because it will be presumably built in to the apple chips.
And what are we gonna do until then? If this is an unfixable, unpatchable possible exploit, isn't it grounds for a mass product recall?
Score: 8 Votes (Like | Disagree)

Top Stories

2021 mbp sd slot feature2

Kuo: New MacBook Pro Models With HDMI Port and SD Card Reader to Launch Later This Year

Monday February 22, 2021 8:52 pm PST by
Apple plans to release two new MacBook Pro models equipped with an HDMI port and SD card reader in the second half of 2021, according to analyst Ming-Chi Kuo, who outlined his expectations in a research note obtained by MacRumors. The return of an SD card reader was first reported by Bloomberg's Mark Gurman last month. "We predict that Apple's two new MacBook Pro models in 2H21 will have...
m1 mac mini

M1 Mac Users Report Excessive SSD Wear

Tuesday February 23, 2021 7:07 am PST by
Over the past week, some M1 Mac users have been reporting alarming SSD health readings, suggesting that these devices are writing extraordinary amounts of data to their drives (via iMore). Across Twitter and the MacRumors forums, users are reporting that M1 Macs are experiencing extremely high drive writes over a short space of time. In what appear to be the most severe cases, M1 Macs are sai...
iphone 12 pro display video

BOE Rumored to Supply iPhone 13 Display Panels After iPhone 12 Failures

Monday February 22, 2021 9:54 am PST by
Display manufacturer BOE will be one of the main suppliers of OLED panels for iPhone 13 models, according to a new report today from Taiwan's Economic Daily News. BOE is said to be working with touch panel manufacturer General Interface Solution (GIS), part of the Hon Hai Group to develop OLED panels. Multiple iPhone 12 rumors suggested that BOE would supply some panels for the devices,...
mac security privacy

Apple Takes Step to Prevent Further Spread of 'Silver Sparrow' Malware on Macs

Monday February 22, 2021 6:13 am PST by
Over the weekend, we reported on the second known piece of malware compiled to run natively on M1 Macs. Given the name "Silver Sparrow," the malicious package is said to leverage the macOS Installer JavaScript API to execute suspicious commands. After observing the malware for over a week, however, security firm Red Canary did not observe any final payload, so the exact threat to users remains a...
jon prosser imac 2021colors

Prosser: 2021 iMac to Come in Five Colors, Apple Silicon Mac Pro to Resemble 'Stacked' Mac Minis

Wednesday February 24, 2021 7:26 am PST by
Hit-and-miss leaker Jon Prosser has today alleged that the upcoming 2021 iMac models will offer five color options, mirroring the colors of the fourth-generation iPad Air, and revealed a number of additional details about the Mac Pro with Apple Silicon. In a new video on YouTube channel FrontPageTech, Prosser explained that the redesigned iMacs will come featuring options for Silver, Space ...
whatsapp privacy banner

WhatsApp Reveals What Happens to Users Who Don't Agree to Upcoming Privacy Policy Changes

Sunday February 21, 2021 1:11 am PST by
WhatsApp has revealed how it will gradually limit the features available to accounts held by users who do not accept the platform's impending privacy policy changes, due to come into effect on May 15. WhatsApp's new banner explaining the privacy policy changes According to an email seen by TechCrunch to one of its merchant partners, WhatsApp said it will "slowly ask" users who have not yet...
new airpods leaked image 52audios

Alleged Leaked Image Claims to Show Third-Generation AirPods and Case

Sunday February 21, 2021 2:49 am PST by
A new image claims to offer our first real world look at Apple's next-generation AirPods. The image, shared by 52audio, showcases both AirPods and the charging case for what the site claims to be the third iteration of the wireless earbuds. 52audio has in the past shared images claiming to showcase different parts of the third-generation AirPods. Most notably, the site in November shared...
anker magsafe powercore battery pack

Anker Releases MagSafe-Compatible Battery Pack for iPhone 12 Lineup

Tuesday February 23, 2021 7:49 am PST by
Following rumors that Apple is working on a MagSafe battery pack for iPhone 12 models, popular accessory maker Anker has beaten Apple to the punch with the release of its PowerCore Magnetic 5K Wireless Power Bank. First previewed at CES 2021, the PowerCore battery pack magnetically attaches to the back of any iPhone 12 model and provides 5W of wireless charging. With a 5,000 mAh capacity,...
iPad Pro Mini LED

New iPad Pro and MacBook Models With Mini-LED Displays Again Rumored to Launch This Year

Monday February 22, 2021 9:32 pm PST by
Taiwanese company Ennostar will begin production of Mini-LED backlight units for an upcoming 12.9-inch iPad Pro in the late first quarter or second quarter of this year, according to industry sources cited by DigiTimes. Ennostar is a holding company that was jointly established in January 2021 by LED-related manufacturers Epistar and Lextar Electronics. Apple is expected to unveil the new ...
14

iOS 14.5 to Make Zero-Click Attacks 'Significantly Harder'

Monday February 22, 2021 9:05 am PST by
Apple's impending iOS and iPadOS 14.5 update will make zero-click attacks considerably more difficult by extending PAC security provisions, according to Motherboard. Apple has made a change to the way in which it secures its code in the latest betas of iOS 14.5 and iPadOS 14.5 to make zero-click attacks much harder. The change, spotted by security researchers, has now been confirmed by...