• Forums
  • Shop
  • iPhone 13
  • AirPods Deals
  • iPad Deals
  • Best Apple Watch
  1. Home
  2. /
  3. News
  4. /
  5. Apple
Oh boy

Apple's T2 chip has unpatchable security flaw, says researcher

On the plus side, the vulnerability requires physical access to your Mac.
Stephen Warwick
6 Oct 2020

How to download and install macOS Big Sur beta to your MacSource: Rene Ritchie

What you need to know

  • Apple's T2 chip has a major security flaw.
  • That's according to the findings of one security researcher.
  • Apparently, the chip can be compromised using the same checkm8 exploit used to jailbreak devices running iOS.

According to a security researcher, Apple's T2 chip has a critical vulnerability that could allow a hacker to bypass a Mac's disk encryption, firmware passwords, and more.

According to Niels Hofmans at ironPeak:

The mini operating system on the T2 (SepOS) suffers from a security vulnerable also found in the iPhone X since it contains a processor based on the iOS A10 processor. Exploitation of this type of processor is very actively discussed in the /r/jailbreak subreddit.

So using the checkm8 exploit originally made for iPhones, the checkra1n exploit was developed to build a semi-tethered exploit for the T2 security chip, exploiting a flaw. This could be used to e.g. circumvent activation lock, allowing stolen iPhones or macOS devices to be reset and sold on the black market.

Normally the T2 chip will exit with a fatal error if it is in DFU mode and it detects a decryption call, but thanks to the blackbird vulnerability by team Pangu, we can completely circumvent that check in the SEP and do whatever we please.

Hofmans says the vulnerability is unpatchable, however is not a "persistent vulnerability". This, Hofmans states, means that for a hacker to take advantage of this, they would need a hardware insert or "other attached component" like a malicious USB-C cable to take advantage.

The report continues:

Once you have access on the T2, you have full root access and kernel execution privileges since the kernel is rewritten before execution. Good news is that if you are using FileVault2 as disk encryption, they do not have access to your data on disk immediately. They can however inject a keylogger in the T2 firmware since it manages keyboard access, storing your password for retrieval or transmitting it in the case of a malicious hardware attachment.

The report also says that FindMy's remote device locking feature can be bypassed if you were to misplace your Mac or have it stolen.

According to the blog, this vulnerability has been disclosed to Apple "on numerous occasions" without a response. The report postulates that Apple doesn't plan on going public with a statement and is quietly developing a new patched T2 chip for its upcoming Macs.

A T2 vulnerability has previously been alluded to by various iOS hackers, as noted by ZDNet:

With @checkra1n 0.11.0, you can now jailbreak the T2 chip in your Mac. An incredible amount of work went into this and it required changes at multiple levels.

There’s too many people to tag, but shoutout to everyone who worked on getting this incredible feature shipped.

— Jamie Bishop (@jamiebishop123) September 22, 2020

checkm8 + blackbird and the T2 SEP is all yours...

— Siguza (@s1guza) September 5, 2020

The report says that the long and short of the exploit is that "macOS devices are no longer safe to use if left alone, even if you have them powered down." The exploit can be used to brute-force a FileVault2 volume password, alter your macOS installation, and load arbitrary kernel extensions. The report again stresses, however, that this is only possible through physical access.

In response to the post, security expert Will Strafach noted a few responses tempering alarm around the issue, stating on Twitter:

"T2 is and has been vulnerable to checkm8, released in late 2019.

what is proven: with physical access to such a computer and time to reboot into DFU to apply checkm8, one can boot arbitrary code on the T2.

what is not proven: any sort of useful persistence. property lists on the Data partition could be modified, which is not great, but there is no evidence yet that one can persist unauthorized code through a full and proper reboot.

there is a pretty big issue with the T2, but it seems important to gather precise facts about what is or is not a risk prior to putting info out there.

Strafach echoed ironPeak's sentiment regarding Apple's failure to respond to the issue stating:

Apple should have really said something by now. I think it is causing more confusion by not directly addressing the matter.

You can read the full report here.

Nintendo recap: Sega's Sonic plans and Pokémon fan pays tribute to OG art
From the Editor's desk

Nintendo recap: Sega's Sonic plans and Pokémon fan pays tribute to OG art

Three additional games found their way onto Nintendo Switch Online this week. Plus, we're in the final stretch before the 3DS and Wii U eShops no longer accept purchases of any kind. There's even more Nintendo news, so let's dive in.

Review: Eliminate Wi-Fi dead zones on all your Apple devices at once
WiFi winning

Review: Eliminate Wi-Fi dead zones on all your Apple devices at once

WiFi dead zones and spotty internet signal at home can be wildly frustrating. With the rockspace AX1800 Router and Extender you can improve internet reliability overall and eliminate WiFi dead zones for your Apple devices.

Review: Secretlab's TITAN Evo 2022 is probably the best gaming chair ever
TITAN evo

Review: Secretlab's TITAN Evo 2022 is probably the best gaming chair ever

Secretlab's TITAN Evo is its 2022 offering. It's an awesome upgrade on its 2020 model and the perfect gaming chair for any gamer.

Automate your home with the best HomeKit smart plugs out there
Plug it in

Automate your home with the best HomeKit smart plugs out there

If you're new to home automation, a smart plug is a great first step in building out your connected home. You can simply plug it in and go. Here's our guide to the best smart plugs for HomeKit.

Keep in Touch

Sign up now to get the latest news, deals & more from iMore!

I would like to receive news and offers from other Future brands.

I would like to receive mail from Future partners.

No spam, we promise. You can unsubscribe at any time and we'll never share your details without your permission.

  • News
  • macOS (General)
  • iPhone
  • iPad
  • Apple Watch
  • Mac
  • Apple TV
  • Reviews
  • How To
  • HomeKit
  • Forums

Other Categories

  • About Us
  • Newsletter
  • Fitness
  • Apps
  • Gaming
  • Deals
  • Advertising Inquiries
  • Licensing and Reprints
  • Accessibility Statement
  • Android Central
  • Windows Central
  • Thrifter
  • TechnoBuffalo
  • MrMobile
Log in or Sign up
  • t
  • f
  • y
  • i
  • r

Brightness

  • © Future US, Inc.
  • Terms & Conditions
  • Privacy Policy
  • Cookie Policy
  • About Us
  • Careers
  • Licensing
  • External Links Disclosure
  • Accessibility Statement
  • © Future US, Inc.
  • Terms & Conditions
  • Privacy Policy
  • Cookie Policy
  • About Us
  • Careers
  • Licensing
  • External Links Disclosure
  • Accessibility Statement