Two iPhone jailbreaks can be used to hack the T2 security chip on newer Macs

Cal Jeffrey

Posts: 2,910   +762
Staff member
Not good: Security researchers have figured out a way to compromise Apple's T2 security chip. The hack involves combining two iPhone exploits and allows attackers to gain "full root access" to the Mac, modify core macOS processes, access data (even if it's encrypted), and inject malware. The flaw cannot be patched without a hardware redesign.

The T2 is the successor to Apple's T1 security chip, which served as a gatekeeper to certain functions. The T2 chip, introduced in 2018, added more functionality and was supposed to be an even more robust security solution.

The two exploits used to perform the attack, known as Checkm8 and Blackbird, are hacks used to jailbreak iPhones. Checkm8 was discovered last year and is believed to be a permanent exploit that cannot be patched.The hacks work on 2018 and later Macs because the T2 chip is based on the iPhone's A10 SoC, and the two share some of the same hardware and software features.

Security firm ironPeak notes the problem stems from Apple leaving a debugging interface open on the T2 security chip.

"Apple left a debugging interface open in the T2 security chip shipping to customers, allowing anyone to enter Device Firmware Update (DFU) mode without authentication," ironPeak explained. "Normally the T2 chip will exit with a fatal error if it is in DFU mode and it detects a decryption call, but thanks to the blackbird vulnerability, we can completely circumvent that check in the SEP [Secure Enclave Processor] and do whatever we please."

The debugging interface does have a switch that keeps it from being used. Still, this protection can be overridden using an easily accessible debugging cable purchased from the internet combined with the Checkm8 exploit.

Once an attacker has compromised the T2, they gain root access and full kernel execution privileges. At this point, they will not be allowed access to files using FileVault2 encryption, but they can install a keylogger in the T2 firmware, which can store the user's credentials for retrieval or transmission later. IronPeak says that Apple cannot patch the T2 exploit because it is rooted at the hardware level. A redesign of the T2 chip is necessary to fix it.

While the exploit is a fairly serious one, it is not easy to pull off, and the attacker must have physical access to the machine. For the average user, the exploit poses a minimal threat. However, ironPeak warns that it is a grave threat for those who may have to surrender their Mac for inspection at security checkpoints when traveling and that enterprise employees could prove to be prime targets.

"While this may not sound as frightening, be aware that this is a perfectly possible attack scenario for state actors. I have sources that say more news is on the way in the upcoming weeks. I quote: be afraid, be very afraid."

IronPeak publicly disclosed the exploit after being ignored by Apple after several attempts to notify it of the vulnerability. The firm believes that Apple just wants to quietly update the T2 chip in future Macs and not raise a fuss about a weakness [Checkm8] in the chip that has been known since 2019. It felt that public awareness was prudent in this case.

Permalink to story.



Posts: 153   +185
They totally lost me at "be afraid, be very afraid". Come on now...this is not a cheap B action flick. After highlighting "it is not easy to pull off, and the attacker must have physical access to the machine", this just doesn't sound professional (to put it mildly).

Don't get me wrong: I think it IS a serious vulnerability, and potential user absolutely must be aware of it (so they can decide if in their case, it is a realistic threat or not). I just hate the cheap narrative around it.

Squid Surprise

Posts: 3,914   +2,986
The hardware exploit is old news... we've known about it for over a year now - and Apple knew about it before then - as it only worked on A11 and under (it went public after the A12). The only "news" is that it has been leveraged to hack the T2.

As for the T2 chip - that has nothing to do with ARM or x86.... that's a discrete add-on chip... but I'm sure a T3 will arrive to replace it soon enough - which someone will eventually hack as well.

This is irrelevant to the "normal" user - unless you fear someone will come and sieze your Mac.

The "fear" is for those who are in danger of these seizures. As many have heard, the scene suffered from some major raids - the warning was for members - if they had any "sensitive" data on their Macs, they are now vulnerable.


Posts: 1,462   +732
"Security researchers say the exploit is 'unpatchable"
Cant express how much I appreciate this inability of patching it <3