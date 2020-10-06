According to a security researcher, Apple's T2 chip has a critical vulnerability that could allow a hacker to bypass a Mac's disk encryption, firmware passwords, and more.

According to Niels Hofmans at ironPeak:

The mini operating system on the T2 (SepOS) suffers from a security vulnerable also found in the iPhone X since it contains a processor based on the iOS A10 processor. Exploitation of this type of processor is very actively discussed in the /r/jailbreak subreddit. So using the checkm8 exploit originally made for iPhones, the checkra1n exploit was developed to build a semi-tethered exploit for the T2 security chip, exploiting a flaw. This could be used to e.g. circumvent activation lock, allowing stolen iPhones or macOS devices to be reset and sold on the black market. Normally the T2 chip will exit with a fatal error if it is in DFU mode and it detects a decryption call, but thanks to the blackbird vulnerability by team Pangu, we can completely circumvent that check in the SEP and do whatever we please.

Hofmans says the vulnerability is unpatchable, however is not a "persistent vulnerability". This means that for a hacker to take advantage of this, they would need a hardware insert or "other attached component" like a malicious USB-C cable to take advantage.

The impact of the vulnerability seems pretty damning. From the report:

Once you have access on the T2, you have full root access and kernel execution privileges since the kernel is rewritten before execution. Good news is that if you are using FileVault2 as disk encryption, they do not have access to your data on disk immediately. They can however inject a keylogger in the T2 firmware since it manages keyboard access, storing your password for retrieval or transmitting it in the case of a malicious hardware attachment.

The report says that FindMy's remote device locking feature can be bypassed if you were to misplace your Mac or have it stolen.

According to the blog, this vulnerability has been disclosed to Apple "on numerous occasions" without a response. The report postulates that Apple doesn't plan on going public with a statement and is quietly developing a new patched T2 chip for its upcoming Macs.

The report says that the long and short of the exploit is that "macOS devices are no longer safe to use if left alone, even if you have them powered down." The exploit can be used to brute-force a FileVault2 volume password, alter your macOS installation, and load arbitrary kernel extensions. The report again stresses, however, that this is only possible through physical access.

You can read the full report here.