Last month it was reported that the security chip found in Apple’s recent computers, the T2 chip, could be susceptible to being jailbroken. A demonstration and an extensive report has been released by the team behind the exploit.
Several controller features are handled by Apple’s custom silicon T2 co-processor, including secure boot capabilities and encrypted storage for Apple’s newer Macs. The chip itself is based on the Apple’s A10 processor that was launched in their mobile devices several years ago. The A10 processors in these mobile devices were vulnerable to a jailbreak exploit called ‘checkm8’, and it appears that the T2 chip is vulnerable to the same exploit.
The T2’s boot process is hijacked when the exploit is used, enabling an attacker to gain access to the hardware. If the chip is in Device Firmware Update (DFU) mode and decryption call is detected, usually the T2 chip exits with a fatal error. However, team Pengu has developed additional vulnerability that enables a hacker to bypass this check and obtain access to the T2 chip.
Full root access and kernel execution privileges are given to the hacker once access is gained, but files that are stored using FileVault 2 encryption cannot be directly decrypted using this method. However, one of the things that is also manged by the T2 chip, is keyboard access. The attacker is able to inject a keylogger into the system, steal the password that’s used for decryption and decrypt files using this stolen password. To go even further, the hacker is then also able to circumvent the remote Activation Lock that services such as Find My (Apple’s device locator platform) and MDM (Mobile Device Management) use.
This exploit can be deployed quickly and without any user interaction via a modified USB Type-C cable being inserted to the machine. The modified cables enable access to particular debug pins within the USB Type-C ports on the computers that are normally reserved for use only by apple.
The security flaw seems to be unpatchable due to the T2’s custom operating system being stored directly on the chip (for security reasons), meaning that Apple is unable to patch the exploit via a software update.
It’s always best practice to keep your devices physically secure as well as digitally, this recent flaw should be a reminder of the importance of this, as well as the potential consequences of plugging any unknown cables or devices into your computer.