A team of hackers has recently brought jailbreak-style techniques to the Mac by exploiting an unorthodox flaw in the T2 Security Chip.
Macs equipped with the T2 co-processor are susceptible to hacks that piggyback on a newsmaking vulnerability dubbed Checkm8. This security loophole has been around for quite some time, enabling gray hats to get around the protections in a series of iPhone models. However, the recent discovery of a method to exploit the Apple T2 Security Chip significantly inflates the adverse security implications of this flaw.
The tool was masterminded by a hacker crew called Checkra1n. Its relatively benign uses boil down to testing the security architecture of the chip for weaknesses, which can pave the way for important improvements. On the other hand, it allows a potential adversary to turn off crucial macOS security mechanisms, including Secure Boot and System Integrity Protection. This is a shortcut to depositing malware onto vulnerable Macs.
This exploitation chain could be enhanced with another exploit pinpointed by the Chinese hacker group Pangu Team in July 2020. This method allows for retrieving FileVault private keys that can be used to decrypt a user’s sensitive data stored by the Mac’s Secure Enclave component. Neither the checkm8 vulnerability in T2 chips nor the above-mentioned loophole can be fixed at the software level, which means that numerous Mac machines are permanently exposed to this form of abuse.
The risks appear yet more unsettling once you take a deeper dive into the essence of the T2 co-processor. It is tasked with safeguarding valuable functionalities such as Touch ID, Activation Lock, and the whole range of Find My features provided by Apple. By tampering with the boot process of the Secure Enclave Processor Operating System (SepOS) used by the T2 chip, an attacker can gain root access to the hardware. This series of manipulations also gives the malefactor kernel execution permissions.
Limitations of the hack
Despite the hysteria around the situation seen on some Internet resources, it’s not all doom and gloom. The silver lining in this hacking saga is that the Checkm8 vulnerability cannot be weaponized unless a perpetrator has physical access to the Mac. Furthermore, the jailbreak tool can only be run from another computer via a USB connection. These restrictions mean that no one can remotely compromise numerous machines with T2 chips onboard.
Also, the jailbreak doesn’t survive a chip reboot. The caveat is that the T2 isn’t rebooted each time the Mac is, and therefore the most effective way to ascertain that the computer is in the clear is to restore the co-processor to its original settings. One more good news is that the compromise itself doesn’t expose the victim’s valuable information. However, it does enable an attacker to bypass defenses and quietly install a piece of malware, such as a keylogger, that will amass sensitive data and try to obtain the private keys.
Older Macs that shipped with T1 chips aren’t exploitable this way. In light of the attack vector, the owners of newer, vulnerable models should exert caution by preventing unauthorized physical access to their devices. Plus, they should refrain from plugging in questionably secure devices via USB-C cables.