Apple's T2 Security Chip Vulnerable to Attack Via USB-C

by

After it was reported last week that Apple's T2 Security Chip could be vulnerable to jailbreaking, the team behind the exploit have released an extensive report and demonstration.

t2checkm8 1

Apple's custom-silicon T2 co-processor is present in newer Macs and handles encrypted storage and secure boot capabilities, as well as several other controller features. It appears that since the chip is based on an Apple A10 processor, it is vulnerable to the same "checkm8" exploit that has been used to jailbreak iOS devices.

The vulnerability allows for the hijacking of the T2's boot process to gain access to the hardware. Normally the T2 chip exits with a fatal error if it is in Device Firmware Update (DFU) mode and it detects a decryption call, but by using another vulnerability developed by team Pangu, it is possible for a hacker to circumvent this check and gain access to the T2 chip.

Once access is gained, the hacker has full root access and kernel execution privileges, although they cannot directly decrypt files stored using FileVault 2 encryption. However, because the T2 chip manages keyboard access, the hacker could inject a keylogger and steal the password used for decryption. It can also bypass the remote Activation Lock used by services such as MDM and Find My. A firmware password does not prevent this since it too requires keyboard access, which requires the T2 chip to run first.

The exploit can be achieved without user interaction and simply requires a modified USB-C cable to be inserted. By creating a specialized device "about the size of a power charger," an attacker can place a T2 chip into DFU mode, run the "checkra1n" exploit, upload a key logger, and capture all keys. macOS can be left unaltered by the jailbreak, but all keys can still be logged on Mac laptops. This is because MacBook keyboards are directly connected to the T2 and passed through to macOS.

A practical demonstration shows checkra1n being run over USB-C from a host device. The targeted Mac simply displays a black screen while the connected computer confirms that the exploit was successful.

These cables function by allowing access to special debug pins within a USB-C port for the CPU and other chips that are usually only used by Apple.

Apple has not fixed the security flaw and it appears to be unpatchable. For security purposes, the T2's SepOS custom operating system is stored directly in the chip's SEPROM, but this also prevents the exploit from being patched by Apple via a software update.

In the meantime, users can protect themselves from the exploit by keeping their Macs physically secure and avoiding the insertion of untrusted USB-C cables and devices.

Tags: Exploit, Cybersecurity, T2 chip

Top Rated Comments

ElRojito Avatar
ElRojito
26 months ago

So much for a chip that's supposed to be all about security.
We all know the first priority was thwarting third party repair attempts. Working at the Genius Bar, the T2 chip was the biggest pain in my ass.
Score: 35 Votes (Like | Disagree)
otternonsense Avatar
otternonsense
26 months ago
So much for a chip that's supposed to be all about security.
Score: 27 Votes (Like | Disagree)
ruka.snow Avatar
ruka.snow
26 months ago

And what are we gonna do until then? If this is an unfixable, unpatchable possible exploit, isn't it grounds for a mass product recall?
How do you pull mass product recall out of an exploit that needs direct access to the hardware? There will always be exploits in hardware and software. Next up you'll be calling for a class action nonsense.
Score: 13 Votes (Like | Disagree)
djcerla Avatar
djcerla
26 months ago
There’s no such thing as a “secure” chip.

With enough time and effort, everything is hackable.
Score: 10 Votes (Like | Disagree)
Elijen Avatar
Elijen
26 months ago

There’s no such thing as a “secure” chip.

With enough time and effort, everything is hackable.
In cryptography secure system does not mean unhackable. It means the time needed to hack it is reasonably high (e.g. millions of years).
Score: 9 Votes (Like | Disagree)
otternonsense Avatar
otternonsense
26 months ago

Apple Silicon Macs will not need T2 (or T3) chips because it will be presumably built in to the apple chips.
And what are we gonna do until then? If this is an unfixable, unpatchable possible exploit, isn't it grounds for a mass product recall?
Score: 8 Votes (Like | Disagree)
Read All Comments

Related Stories

hyper 7 in 2 hub macbook pro

HYPER's 'DUO PRO' 7-in-2 USB-C Hub Debuts for New MacBook Pro Models

Monday December 6, 2021 8:00 am PST by
HYPER today announced the HyperDrive "DUO PRO," a 7-in-2 USB-C hub designed specifically for Apple's latest high-end MacBook Pro models, launching on Indiegogo with the first shipments set to go out in January. The HyperDrive DUO PRO features a Thunderbolt 4/USB 4 port capable of data transfer at 40Gbps, 100W PD, and 6K 60Hz video, an HDMI port with support for 4K 60Hz displays, a 5Gbps...
Read Full Article61 comments
powerdir exploit microsoft

Microsoft Discovered New 'Powerdir' macOS Vulnerability, Fixed in 12.1 Update

Monday January 10, 2022 9:17 am PST by
Microsoft's 365 Defender Research Team this morning published details on a new "Powerdir" macOS vulnerability that let an attacker bypass the Transparency, Consent, and Control technology to gain unauthorized access to protected data. Apple already addressed the CVE-2021-30970 vulnerability in the macOS Monterey 12.1 update that was released in December, so users who have updated to the...
Read Full Article66 comments
download 5

Nomad Launches 30W USB-C Charger and Sport Cables With iPhone Fast Charging Support

Wednesday December 1, 2021 8:26 am PST by
Nomad today announced a pair of new products, including a new USB-C PD wall charger and new Sport Cables. These accessories are both available to order and ship out today on Nomad's website. The 30W USB-C GaN AC Adapter is a small, minimalist wall charger with a 30W power output that supports iPhone fast charging. This accessory costs $29.95 and does not come with a USB-C cable. In terms of...
Read Full Article27 comments
satechi pro hub max

Deals: Satechi Offering 25% Off Sitewide for Pi Day

Monday March 14, 2022 9:12 am PDT by
Satechi is celebrating Pi Day with a new coupon code that takes 25 percent off sitewide for today only. In order to get the discount, you can shop for accessories on Satechi's website and then enter the code PiDAY at checkout. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the...
Read Full Article12 comments
maxresdefault

iPhone X Modded With USB-C Port Listed on eBay With Bids Topping $99,000

Thursday November 4, 2021 6:21 am PDT by
Earlier this week, robotics student Ken Pillonel shared a video explaining how he modded an iPhone X with a functional USB-C port in place of the usual Lightning connector. The USB-C port works for both charging the iPhone and data transfer. Pillonel also put the device up for auction on eBay, and bids are already topping a whopping $99,000. The listing describes the device as "the world's...
Read Full Article196 comments
mac studio and studio display

Apple Announces Powerful 'Mac Studio' With M1 Ultra Chip and Companion 'Studio Display'

Tuesday March 8, 2022 10:41 am PST by
Apple today at its "Peek Performance" event announced a new Mac Studio desktop computer with a companion Studio Display monitor. With a 3.7-inch tall enclosure, the Mac Studio looks like a larger Mac mini, but it is far more powerful. The computer can be configured with the same M1 Max chip as found in the 14-inch and 16-inch MacBook Pro or the just-announced M1 Ultra chip, which features a...
Read Full Article181 comments
anker quickie

Deals: Get Up to 40% Off Anker's USB-C Cables, MagSafe-Compatible Chargers, and More

Thursday January 20, 2022 7:41 am PST by
Amazon's Gold Box deal of the day today is focusing on a collection of Anker chargers and cables, with prices starting at $16.99 for a 2-pack of Anker Powerline USB-C to USB-C cables. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. There are eight total...
Read Full Article9 comments
iphone with usb c port

iPhone X With USB-C Port Sells For $86,001 on eBay

Friday November 12, 2021 3:13 am PST by
Last week, an iPhone X modified with a USB-C port was listed on eBay as "the world's first USB-C iPhone," and now, a few days after intense bidding, the USB-C iPhone has been sold for $86,001. The iPhone was modified by Ken Pillonel, a robotics student who shared a video explaining how he did it. Since the video was posted on November 1, it's garnered over 600,000 views and has been widely...
Read Full Article173 comments

Popular Stories

iOS 16

Apple Releases iOS 16.0.2 With Bug Fixes for iPhone 14 Pro Camera Vibration, Copy/Paste Issue and More

Thursday September 22, 2022 1:04 pm PDT by
Apple today released iOS 16.0.2, addressing a number of bugs that iPhone 14 owners have been experiencing since the new devices launched. iOS 16.0.2 comes two weeks after the launch of iOS 16, and it follows iOS 16.0.1, an update made available to iPhone 14 owners on launch day. The update is available for all iPhones that are capable of running iOS 16. The iOS 16.0.2 update can be...
Read Full Article286 comments
maxresdefault

Video Review: Four Days With the iPhone 14 Pro Max

Wednesday September 21, 2022 7:49 am PDT by
Apple on Friday released the new iPhone 14 models, and MacRumors videographer Dan picked one up on launch day. He's been using the iPhone 14 Pro Max non-stop since it came out, and over on the MacRumors YouTube channel, has shared his initial thoughts on the day-to-day experience with the latest iPhone. Subscribe to the MacRumors YouTube channel for more videos. Dan's mini review highlights...
Read Full Article137 comments
iPad Pro Big Ol Logo

Five Features Rumored for the New iPad Pro Expected Next Month

Wednesday September 21, 2022 1:36 am PDT by
Rumors suggest Apple will announce new 11-inch and 12.9-inch iPad Pro models as soon as next month. The new iPads will be the first update to the iPad Pro series since April 2021 and will be an overall incremental upgrade that brings new capabilities and functionality to the highest-end iPad. According to reports, Apple is planning an event for October to announce the new iPad Pro models, a...
Read Full Article80 comments
ios 16 lock screen feature

Some iOS 16 Users Complain About Slow Spotlight Search and Battery Drain

Wednesday September 21, 2022 4:25 am PDT by
It's been nine days since Apple released iOS 16 to the public, bringing major changes to the Lock Screen, Messages, Maps, and more. In the days following the release, some users have encountered several issues on their iPhones, ranging from slow system performance to battery drain. In the past few days, iPhone 14 Pro users have shared specific bugs related to Apple's latest high-end iPhones, ...
Read Full Article165 comments
Dynamic Island For Android Users Feature

Android App Copying iPhone 14 Pro's Dynamic Island Released on Play Store

Thursday September 22, 2022 7:57 am PDT by
A copycat version of the iPhone 14 Pro's Dynamic Island has arrived on Android's Google Play Store in the form of an app called "dynamicSpot." The app, still in beta, offers customers several different experiences at the top of their smartphones. In its current form, dynamicSpot offers playback control for songs, timers, battery status, and more features coming soon, according to the app's...
Read Full Article199 comments
facebook meta

Meta Sued Over Tracking iPhone Users Despite Apple's Privacy Features

Thursday September 22, 2022 5:12 am PDT by
Meta is facing a new proposed class action lawsuit that accuses it of tracking and collecting the personal data of iPhone users, despite features and policies made by Apple which are meant to stop that same type of tracking. In August, it was revealed that with the Facebook and Instagram apps, Meta can track all of a user's key taps, keyboard inputs, and more, when using the in-app browser....
Read Full Article161 comments
apple watch ultra reddit 1

Lucky Customer Gets New Apple Watch Ultra Two Days Early

Wednesday September 21, 2022 2:03 pm PDT by
With millions of devices shipping out to customers with every Apple launch, there's occasionally someone who gets lucky and gets a new product ahead of schedule. This time around, Redditor playalisticadillac received an Apple Watch Ultra from AT&T two days before the official debut, sharing some images on the social media site. The images include an unboxing and comparisons to the...
Read Full Article184 comments
new airpods pro ear tips

Apple Explains Why Second-Generation AirPods Pro Ear Tips Are Incompatible With Original AirPods Pro

Thursday September 22, 2022 3:12 pm PDT by
Apple today explained why the new silicone ear tips for the second-generation AirPods Pro are not officially compatible with the original AirPods Pro. In an updated support document, Apple said the original AirPods Pro ear tips have "noticeably denser mesh" than the second-generation ear tips. Apple did not provide any additional details, but the mesh density could result in acoustical...
Read Full Article97 comments