White hat hackers claim Apple’s homegrown T2 chip that powers Mac hardware has a critical vulnerability that can’t be patched. Reports claim post-2017 Apple devices are at risk of exploitation after hackers claim successful jailbreak of Apple T2 chip.
Security and privacy are the hallmarks of Apple products, but that doesn’t mean it was secure against iOS jailbreaking. The technique, iOS jailbreaking, was Opens a new window recently used for finding a vulnerability in Apple’s infamous T2 chip. Apple’s homegrown T2 chip that powers its MacBook Pros and MacBook Airs was supposedly unhackable until it was jailbroken by white hat hackers, who detailed their findings in a blog post.Â
Apple touted that the T2 chip packs hardware-based security that prevents data thefts and data leakages even if the endpoint device is stolen. As reported by ZDNetOpens a new window , white hat Apple hackers found a vulnerability that grants root access to unauthorized users and allows them to enter Device Firmware Update.Â
With root access, the attacker has complete control over device accessibility and the operating system (OS) with the exception of user data. It also makes the device susceptible to the installation of external, unauthorized programs like malware, keylogging applications, etc. All Apple computers built 2018 onwards such as Mac minis and Macbook Air models have this newly-found vulnerability.
The vulnerability can be narrowed down to the read-only memory of the T2 chip which means it cannot be patched with a software/firmware upgrade, thereby making existing devices with the chip vulnerable to active exploitation. At the same time, it also means attackers would need physical access to devices in order to exploit them since Apple T2’s vulnerability is hardware-based.
For exploiting this vulnerability, hackers used two existing jailbreaking techniques known as Checkm8Opens a new window and BlackbirdOpens a new window . ironPeak’s independent cybersecurity consultant Niels Hofmans explains: “Using the checkm8 exploitOpens a new window originally made for iPhones, the checkra1n exploit was developed to build a semi-tethered exploit for the T2 security chip, exploiting a flaw. This could be used to e.g. circumvent activation lock, allowing stolen iPhones or macOS devices to be reset and sold on the black market.â€
“Normally the T2 chip will exit with a fatal error if it is in DFU mode and it detects a decryption call, but thanks to the blackbird vulnerabilityOpens a new window by team Pangu, we can completely circumvent that check in the SEP and do whatever we please.â€Â
Meanwhile, a Twitter user was quick to point out an error in ironPeak’s statement.
1. This isn’t “normally”, but starting with iOS 14.
2. AFAIK the T2 did not get that mitigation.
3. It disables an encryption key if it was booted from DFU mode.But yes, we can hack the T2 SEP with blackbird.
[8/13]
— Siguza (@s1guza) October 7, 2020Opens a new window
The T2 chip was primarily designed as a co-processor or Secure Enclave Processor (SEP) to handle the computer’s boot process, system functions like the camera and audio control, on-the-fly encryption and decryption for the solid-state drives, TouchID authentication, passwords, KeyChain or 2FA, hardware accelerating media playback and whitelisting kernel extensions. The silicon is based on Apple A10, the ARM based system on ch.Â
See Also: Shlayer Mac Adware Slips Past Apple Security, Twice
Exploitation of the vulnerability requires a connection to the target through a USB-C cable, and can also be accessed by remote access programs.Â
So if a user’s Macbook, bought between 2018 -2020 has a T2 chip, s/he probablys need to be wary of the following:
- Broken root trust/access
- Bruteforce attacks on FileVault2 volume password
- Alteration of macOS setup
- Loading of arbitrary kernel extensions
The physical nature of the vulnerability means the threat can only be mitigated by a hardware overhaul, which is impossible. Going forward, the only way to prevent future devices from inheriting the flaw is by not using the T2 chip. As such, Apple will need to design a quick replacement.
ironPeak attributed the findings to @axi0mXOpens a new window , @h0m3us3rOpens a new window , @Aunali1Opens a new window , @MCMrARMOpens a new window , @su_rickmarkOpens a new window , who provided a timeline of milestones achieved to find this vulnerability in this blog postOpens a new window .
However, Apple hasn’t confirmed the vulnerability in its homegrown chip. Â
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!