Two iPhone jailbreaks can be used to hack the T2 security chip on newer Macs
Security researchers say the exploit is 'unpatchable'By Cal Jeffrey
Not good: Security researchers have figured out a way to compromise Apple's T2 security chip. The hack involves combining two iPhone exploits and allows attackers to gain "full root access" to the Mac, modify core macOS processes, access data (even if it's encrypted), and inject malware. The flaw cannot be patched without a hardware redesign.
The T2 is the successor to Apple's T1 security chip, which served as a gatekeeper to certain functions. The T2 chip, introduced in 2018, added more functionality and was supposed to be an even more robust security solution.
The two exploits used to perform the attack, known as Checkm8 and Blackbird, are hacks used to jailbreak iPhones. Checkm8 was discovered last year and is believed to be a permanent exploit that cannot be patched.The hacks work on 2018 and later Macs because the T2 chip is based on the iPhone's A10 SoC, and the two share some of the same hardware and software features.
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.--- ax??mX (@axi0mX) September 27, 2019
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). https://t.co/dQJtXb78sG
Security firm ironPeak notes the problem stems from Apple leaving a debugging interface open on the T2 security chip.
"Apple left a debugging interface open in the T2 security chip shipping to customers, allowing anyone to enter Device Firmware Update (DFU) mode without authentication," ironPeak explained. "Normally the T2 chip will exit with a fatal error if it is in DFU mode and it detects a decryption call, but thanks to the blackbird vulnerability, we can completely circumvent that check in the SEP [Secure Enclave Processor] and do whatever we please."
The debugging interface does have a switch that keeps it from being used. Still, this protection can be overridden using an easily accessible debugging cable purchased from the internet combined with the Checkm8 exploit.
checkm8 + blackbird and the T2 SEP is all yours...--- Siguza (@s1guza) September 5, 2020
With @checkra1n 0.11.0, you can now jailbreak the T2 chip in your Mac. An incredible amount of work went into this and it required changes at multiple levels.--- Jamie Bishop (@jamiebishop123) September 22, 2020
There's too many people to tag, but shoutout to everyone who worked on getting this incredible feature shipped.
Once an attacker has compromised the T2, they gain root access and full kernel execution privileges. At this point, they will not be allowed access to files using FileVault2 encryption, but they can install a keylogger in the T2 firmware, which can store the user's credentials for retrieval or transmission later. IronPeak says that Apple cannot patch the T2 exploit because it is rooted at the hardware level. A redesign of the T2 chip is necessary to fix it.
While the exploit is a fairly serious one, it is not easy to pull off, and the attacker must have physical access to the machine. For the average user, the exploit poses a minimal threat. However, ironPeak warns that it is a grave threat for those who may have to surrender their Mac for inspection at security checkpoints when traveling and that enterprise employees could prove to be prime targets.
"While this may not sound as frightening, be aware that this is a perfectly possible attack scenario for state actors. I have sources that say more news is on the way in the upcoming weeks. I quote: be afraid, be very afraid."
IronPeak publicly disclosed the exploit after being ignored by Apple after several attempts to notify it of the vulnerability. The firm believes that Apple just wants to quietly update the T2 chip in future Macs and not raise a fuss about a weakness [Checkm8] in the chip that has been known since 2019. It felt that public awareness was prudent in this case.