Apple's T2 chip has an unfixable vulnerability that could allow root access
Apple macOS devices with Intel processors and a T2 chip are vulnerable to an unfixable exploit that could give attackers root access, a cybersecurity researcher claims.
The T2 chip, present in most modern macOS devices, is an Apple silicon co-processor that handles boot and security operations, along with disparate features such as audio processing. Niels H., an independent security consultant, indicates that the T2 chip has a serious flaw that can't be patched.
According to Niels H., since the T2 chip is based on an Apple A10 processor, it's vulnerable to the same checkm8 exploit that affects iOS-based devices. That could allow attackers to circumvent activation lock and carry out other malicious attacks.
Information about the vulnerability was provided to Niels H. by security researcher Rick Mark and the checkra1n team, which first discovered the flaw. According to Mark, the checkm8 flaw exists in USB handling in DFU mode.
Normally, the T2 chip's Secure Enclave Processor (SEP) will exit with a fatal error if it detects a decryption call when in DFU mode. That's a security mechanism baked into both Mac and iOS devices through the SEP. However, the exploit can be paired with the Blackbird SEP vulnerability, developed by Pangu, to that security mechanism.
Once an attacker gains access to the T2 chip, they will have full root access and kernel execution privileges. Although they can't decrypt files protected by FileVault 2 encryption, they can inject a keylogger and steal passwords since the T2 chip manages keyboard access.
The vulnerability could also allow for manual bypassing of security locks through MDM or Find My, as well as the built-in Activation Lock security mechanism. A firmware password also doesn't mitigate the issue, since it requires keyboard access.
Apple also can't patch the vulnerability without a hardware revision, since the T2's underlying operating system (bridgeOS) uses read-only memory for security reasons. On the other hand, that also means the vulnerability isn't persistent — it'll require a hardware component, such as a malicious and specially-crafted USB-C cable.
Mark points out that rebooting a device cleans the boot chain, but certain T2 filesystem modifications could be persistent.
Niels H. said he reached out to Apple to disclose the exploits, but has heard no response. To raise awareness about the issue, he disclosed the vulnerability on his IronPeak.be blog.
Who is at risk, and how to protect yourself
According to Niels H., the vulnerability affects all Mac products with a T2 chip and an Intel processor. Since Apple silicon-based devices use a different boot system, it isn't clear whether they are also impacted.
Because of the nature of the vulnerability and related exploits, physical access is required for attacks to be carried out.
As a result, average users can avoid the exploits by maintaining physical security, and not plugging in USB-C devices with unverified provenance.