Apple's T2 Security Chip Vulnerable to Attack Via USB-C

After it was reported last week that Apple's T2 Security Chip could be vulnerable to jailbreaking, the team behind the exploit have released an extensive report and demonstration.

t2checkm8 1

Apple's custom-silicon T2 co-processor is present in newer Macs and handles encrypted storage and secure boot capabilities, as well as several other controller features. It appears that since the chip is based on an Apple A10 processor, it is vulnerable to the same "checkm8" exploit that has been used to jailbreak iOS devices.

The vulnerability allows for the hijacking of the T2's boot process to gain access to the hardware. Normally the T2 chip exits with a fatal error if it is in Device Firmware Update (DFU) mode and it detects a decryption call, but by using another vulnerability developed by team Pangu, it is possible for a hacker to circumvent this check and gain access to the T2 chip.

Once access is gained, the hacker has full root access and kernel execution privileges, although they cannot directly decrypt files stored using FileVault 2 encryption. However, because the T2 chip manages keyboard access, the hacker could inject a keylogger and steal the password used for decryption. It can also bypass the remote Activation Lock used by services such as MDM and Find My. A firmware password does not prevent this since it too requires keyboard access, which requires the T2 chip to run first.

The exploit can be achieved without user interaction and simply requires a modified USB-C cable to be inserted. By creating a specialized device "about the size of a power charger," an attacker can place a T2 chip into DFU mode, run the "checkra1n" exploit, upload a key logger, and capture all keys. macOS can be left unaltered by the jailbreak, but all keys can still be logged on Mac laptops. This is because MacBook keyboards are directly connected to the T2 and passed through to macOS.

A practical demonstration shows checkra1n being run over USB-C from a host device. The targeted Mac simply displays a black screen while the connected computer confirms that the exploit was successful.

These cables function by allowing access to special debug pins within a USB-C port for the CPU and other chips that are usually only used by Apple.

Apple has not fixed the security flaw and it appears to be unpatchable. For security purposes, the T2's SepOS custom operating system is stored directly in the chip's SEPROM, but this also prevents the exploit from being patched by Apple via a software update.

In the meantime, users can protect themselves from the exploit by keeping their Macs physically secure and avoiding the insertion of untrusted USB-C cables and devices.

Popular Stories

iPhone 17 Air Pastel Feature

iPhone 17 Air Battery Capacity and Weight Allegedly Revealed

Monday May 19, 2025 2:22 am PDT by
Apple is expected to launch an all-new ultra-thin iPhone 17 Air later this year, and while there have been plenty of rumors about the camera's overall design and thinness, we haven't heard any details about the device's weight and battery capacity until now. According to the leaker going by the account name "yeux1122" on the Korean-langauge Naver blog, the 6.6-inch iPhone 17 Air has a weight ...
Apple CarPlay Ultra instrument cluster themes 01

Apple's CarPlay Ultra Is Here – Does Your iPhone Support It?

Thursday May 15, 2025 5:17 am PDT by
Apple's recently announced CarPlay Ultra promises a deeply integrated in-car experience, but not all iPhone users will be able to take advantage of the new feature. According to Apple's press release, CarPlay Ultra requires an iPhone 12 or later running iOS 18.5 or later. This means if you're using an iPhone 11, iPhone XR, or any older model, you'll need to upgrade your device to access...
Apple CarPlay Ultra instrument cluster themes 01

Apple's 'CarPlay Ultra' Experience Now Available

Thursday May 15, 2025 5:07 am PDT by
Apple today announced that its next-generation CarPlay experience, now dubbed "CarPlay Ultra" begins rolling out today, starting with Aston Martin vehicles. Subscribe to the MacRumors YouTube channel for more videos. CarPlay Ultra is now available with new Aston Martin vehicle orders in the U.S. and Canada. It will also be available for existing models that feature the brand's next-generation ...
Apple Glass

Apple Smart Glasses: Everything We Know So Far

Wednesday May 21, 2025 8:21 am PDT by
Google made waves yesterday by showcasing a set of lightweight smart glasses featuring deep Gemini integration and an optional in-lens display. The demo has reignited interest in Apple's own smart glasses project, which has been the subject of rumors for nearly a decade. Here's a recap of where things stand. Current Development Status Apple is actively working on new chips specifically...
WWDC 2025 Banner

Apple Announces WWDC 2025 Schedule, Including Keynote Time

Tuesday May 20, 2025 8:13 am PDT by
Apple today announced a more detailed schedule for its annual developers conference WWDC, which runs from June 9 through June 13. The schedule confirms that Apple's keynote will begin on Monday, June 9 at 10 a.m. Pacific Time, with a live stream to be available on Apple.com, in the Apple TV app, and on YouTube. During the keynote, Apple is expected to announce iOS 19, iPadOS 19, macOS 16,...
macOS 16 visionOS Inspired Feature 1

macOS 16: Everything We Know So Far

Tuesday May 20, 2025 7:31 am PDT by
The Worldwide Developers Conference (WWDC), Apple's annual developer and software-oriented event, is less than three weeks away. We haven't heard a great deal about macOS 16 ahead of its announcement this year, so we could be in for some major surprises when June 9 rolls around. Here's what we know so far about the next major update to Apple's Mac operating system. macOS 16 Name? Every year ...
Apple Intelligence General Feature

Report: Apple's Next-Gen Version of Siri Is 'On Par' With ChatGPT

Monday May 19, 2025 9:00 am PDT by
Apple has big plans to improve Siri over the next few years, Bloomberg's Mark Gurman and Drake Bennett report. Some Apple executives are now reportedly pushing to turn Siri into a true ChatGPT competitor. A next-generation, chatbot version of Siri has reportedly made significant progress during testing over the past six months; some executives allegedly now see it as "on par" with recent...

Top Rated Comments

ElRojito Avatar
60 months ago

So much for a chip that's supposed to be all about security.
We all know the first priority was thwarting third party repair attempts. Working at the Genius Bar, the T2 chip was the biggest pain in my ass.
Score: 35 Votes (Like | Disagree)
otternonsense Avatar
60 months ago
So much for a chip that's supposed to be all about security.
Score: 27 Votes (Like | Disagree)
ruka.snow Avatar
60 months ago

And what are we gonna do until then? If this is an unfixable, unpatchable possible exploit, isn't it grounds for a mass product recall?
How do you pull mass product recall out of an exploit that needs direct access to the hardware? There will always be exploits in hardware and software. Next up you'll be calling for a class action nonsense.
Score: 13 Votes (Like | Disagree)
djcerla Avatar
60 months ago
There’s no such thing as a “secure” chip.

With enough time and effort, everything is hackable.
Score: 10 Votes (Like | Disagree)
Elijen Avatar
60 months ago

There’s no such thing as a “secure” chip.

With enough time and effort, everything is hackable.
In cryptography secure system does not mean unhackable. It means the time needed to hack it is reasonably high (e.g. millions of years).
Score: 9 Votes (Like | Disagree)
otternonsense Avatar
60 months ago

Apple Silicon Macs will not need T2 (or T3) chips because it will be presumably built in to the apple chips.
And what are we gonna do until then? If this is an unfixable, unpatchable possible exploit, isn't it grounds for a mass product recall?
Score: 8 Votes (Like | Disagree)