Apple's T2 chip has an unfixable vulnerability that could allow root access

Posted:
in General Discussion edited October 2020
Apple macOS devices with Intel processors and a T2 chip are vulnerable to an unfixable exploit that could give attackers root access, a cybersecurity researcher claims.

Credit: Malcolm Owen, AppleInsider
Credit: Malcolm Owen, AppleInsider


The T2 chip, present in most modern macOS devices, is an Apple silicon co-processor that handles boot and security operations, along with disparate features such as audio processing. Niels H., an independent security consultant, indicates that the T2 chip has a serious flaw that can't be patched.

According to Niels H., since the T2 chip is based on an Apple A10 processor, it's vulnerable to the same checkm8 exploit that affects iOS-based devices. That could allow attackers to circumvent activation lock and carry out other malicious attacks.

Information about the vulnerability was provided to Niels H. by security researcher Rick Mark and the checkra1n team, which first discovered the flaw. According to Mark, the checkm8 flaw exists in USB handling in DFU mode.

Normally, the T2 chip's Secure Enclave Processor (SEP) will exit with a fatal error if it detects a decryption call when in DFU mode. That's a security mechanism baked into both Mac and iOS devices through the SEP. However, the exploit can be paired with the Blackbird SEP vulnerability, developed by Pangu, to that security mechanism.

Once an attacker gains access to the T2 chip, they will have full root access and kernel execution privileges. Although they can't decrypt files protected by FileVault 2 encryption, they can inject a keylogger and steal passwords since the T2 chip manages keyboard access.

The vulnerability could also allow for manual bypassing of security locks through MDM or Find My, as well as the built-in Activation Lock security mechanism. A firmware password also doesn't mitigate the issue, since it requires keyboard access.

Apple also can't patch the vulnerability without a hardware revision, since the T2's underlying operating system (bridgeOS) uses read-only memory for security reasons. On the other hand, that also means the vulnerability isn't persistent -- it'll require a hardware component, such as a malicious and specially-crafted USB-C cable.

Mark points out that rebooting a device cleans the boot chain, but certain T2 filesystem modifications could be persistent.

Niels H. said he reached out to Apple to disclose the exploits, but has heard no response. To raise awareness about the issue, he disclosed the vulnerability on his IronPeak.be blog.

Who is at risk, and how to protect yourself

According to Niels H., the vulnerability affects all Mac products with a T2 chip and an Intel processor. Since Apple silicon-based devices use a different boot system, it isn't clear whether they are also impacted.

Because of the nature of the vulnerability and related exploits, physical access is required for attacks to be carried out.

As a result, average users can avoid the exploits by maintaining physical security, and not plugging in USB-C devices with unverified provenance.
«13

Comments

  • Reply 1 of 58
    Ummmm....ok. So we all have devices that are insecure if left unattended or lost? Is this going to get swept under the rug, or will there be some sort of action by Apple to remedy?????
    pulseimagesDontmentionthewarwilliamlondon
  • Reply 2 of 58
    digitoldigitol Posts: 227member
    That’s right. “Apple security” All the inconvenience, trouble and pain, and still this happens. Definitely not worth it. T2chip has been nothing but a troublesome, miserable disaster. Huge failure. Sad. 
    williamlondonprismaticshammeroftruth
  • Reply 3 of 58
    jccjcc Posts: 287member
    Ummmm....ok. So we all have devices that are insecure if left unattended or lost? Is this going to get swept under the rug, or will there be some sort of action by Apple to remedy?????
    Niels H. said that the vulnerability is hardware related. If you expect Apple to recall all the devices with T2 chip in it you'll be waiting a very long time as it's not going to happen. There's no way they will spend billions to fix this.
    razorpit
  • Reply 4 of 58
    longpathlongpath Posts: 338member
    I’m more interested in whether Apple will take this wake up call, and take steps to prevent such a blunder with the forthcoming Apple Silicon systems.
    PetrolDave80s_Apple_Guywilliamlondonlkrupp
  • Reply 5 of 58
    normangnormang Posts: 114member
    Once again the severity of a security issue is overplayed...  To assume that it cannot be resolved in some other way is short sighted..   Also its always assumed that this "researcher" is right, maybe he's wrong....   Plus how many of you are wandering around with a Mac filled with data that if accessed is worth a flip? Without physical access, its useless.
    ronnrandominternetpersonyojimbo007spock1234pulseimagesmwhitewilliamlondondocno42lolliverwatto_cobra
  • Reply 6 of 58
    JFC_PAJFC_PA Posts: 543member
    “ ecause of the nature of the vulnerability and related exploits, physical access is required for attacks to be carried out.

    As a result, average users can avoid the exploits by maintaining physical security, and not plugging in USB-C devices with unverified provenance.”

    So once the bad people HAVE the device they can mess with it.   Yawn. 
    ronnbonobobDAalsethspock1234docno42watto_cobra
  • Reply 7 of 58
    ronnronn Posts: 413member
    Oh-Em-Gee!!! The sky is falling. Keep your eye on your stuff at all times and never trust "USB-C devices with unverified provenance." That should always be the case already.
    bonobobGG1cornchipDAalsethspock1234pulseimageswatto_cobrakillroy
  • Reply 8 of 58
    rob53rob53 Posts: 2,491member
    This happened with Intel and probably others. Nothing is perfect. Apple doesn’t have T2 chips +Intel in every Mac they make. This is something Apple will confirm then figure out what to do. It’s not the end of the world. 
    williamlondonwatto_cobrakillroy
  • Reply 9 of 58
    JFC_PA said:
    “ ecause of the nature of the vulnerability and related exploits, physical access is required for attacks to be carried out.

    As a result, average users can avoid the exploits by maintaining physical security, and not plugging in USB-C devices with unverified provenance.”

    So once the bad people HAVE the device they can mess with it.   Yawn. 
    Which means that the devices that used to be undesirable by thieves and robbers now are perfectly legit reasons for pulling weapons on, physically attacking, and in at least some cases also worth killing, people out and about. There's no yawning about that.
    cy_starkmanelijahg
  • Reply 10 of 58
    There is NO perfect hardware/software technology security wise. And what's not clear is how this would be exploited casually. I'd guess not having your device in your possession is problem in many ways. 
    rangerdStrangeDaysPetrolDavekillroy
  • Reply 11 of 58
    svanstrom said:
    JFC_PA said:
    “ ecause of the nature of the vulnerability and related exploits, physical access is required for attacks to be carried out.

    As a result, average users can avoid the exploits by maintaining physical security, and not plugging in USB-C devices with unverified provenance.”

    So once the bad people HAVE the device they can mess with it.   Yawn. 
    Which means that the devices that used to be undesirable by thieves and robbers now are perfectly legit reasons for pulling weapons on, physically attacking, and in at least some cases also worth killing, people out and about. There's no yawning about that.
    Your logic is broken. I'm not aware of Apple devices never being stolen because of security? Has there been a headline - Crooks never steal iPhones - that I missed? And how much effort are we talking about? The CIA can probably get into anything given some time.  Again, yes, people steal things. They steal Android phones and iPhones and Macs and Windows Phones (wait...) but this doesn't change that equation one bit. 
    Rayz2016pscooter63StrangeDaysroundaboutnowronnspock1234PetrolDavedocno42watto_cobrakillroy
  • Reply 12 of 58
    digitol said:
    That’s right. “Apple security” All the inconvenience, trouble and pain, and still this happens. Definitely not worth it. T2chip has been nothing but a troublesome, miserable disaster. Huge failure. Sad. 
    Thanks, Mr. President. But seriously.. Can you provide some context / details on why the T2 chip has been all of these terrible things?
    randominternetpersontrustnoone00cy_starkmanxander0985roundaboutnowDogpersonronnpulseimageswilliamlondoncornchip
  • Reply 13 of 58
    svanstrom said:
    JFC_PA said:
    “ ecause of the nature of the vulnerability and related exploits, physical access is required for attacks to be carried out.

    As a result, average users can avoid the exploits by maintaining physical security, and not plugging in USB-C devices with unverified provenance.”

    So once the bad people HAVE the device they can mess with it.   Yawn. 
    Which means that the devices that used to be undesirable by thieves and robbers now are perfectly legit reasons for pulling weapons on, physically attacking, and in at least some cases also worth killing, people out and about. There's no yawning about that.
    Somehow I don't think thieves, muggers, and bloody murderers are real savvy on hacking in-chip hardware vulnerabilities. If this were the case, 2020 would be better known for "The Slaughter of the Smartphone Users" than for COVID, since all phones have various security flaws of one kind or another, especially if you have them in-hand. I think your statement is downright preposterous, to be frank. Sounds like you are having a terrible, anxious day, and maybe went a little far on this one. I get it, times are pretty tough right now. Deep breaths, and hang in there. Things will get better. No snark, I mean it.
    randominternetpersonroundaboutnowronnspock1234williamlondoncornchipwatto_cobrakillroy
  • Reply 14 of 58
    digitol said:
    That’s right. “Apple security” All the inconvenience, trouble and pain, and still this happens. Definitely not worth it. T2chip has been nothing but a troublesome, miserable disaster. Huge failure. Sad. 
    You forgot the /s

    But you nailed the "irrational rant by the Apple hater" vibe perfectly.  Extra points for the "Sad," but you should have used all caps in a few random places.
    dewmebonobobStrangeDaysroundaboutnowDogpersonronnspock1234PetrolDaveGG1williamlondon
  • Reply 15 of 58
    crowleycrowley Posts: 7,630member
    I guess this is T2's judgement day.
    pscooter63cy_starkmanxander0985roundaboutnowrazorpitbrianusbikerdudeplanetary paulrcfaspock1234
  • Reply 16 of 58
    flydogflydog Posts: 924member
    Ummmm....ok. So we all have devices that are insecure if left unattended or lost? Is this going to get swept under the rug, or will there be some sort of action by Apple to remedy?????
    How would anyone on this forum know the answer to this question?
    StrangeDaysronncornchipwatto_cobrakillroy
  • Reply 17 of 58
    flydogflydog Posts: 924member

    digitol said:
    T2chip has been nothing but a troublesome, miserable disaster. Huge failure. Sad. 
    Based on what?  
    StrangeDaysdavgregrazorpitronnpulseimageswilliamlondonwatto_cobrakillroy
  • Reply 18 of 58
    svanstrom said:
    JFC_PA said:
    “ ecause of the nature of the vulnerability and related exploits, physical access is required for attacks to be carried out.

    As a result, average users can avoid the exploits by maintaining physical security, and not plugging in USB-C devices with unverified provenance.”

    So once the bad people HAVE the device they can mess with it.   Yawn. 
    Which means that the devices that used to be undesirable by thieves and robbers now are perfectly legit reasons for pulling weapons on, physically attacking, and in at least some cases also worth killing, people out and about. There's no yawning about that.
    Everything Apple branded is desirable my friend. I don't know where your “undesirable” comes from. They even steal the display models at Apple Retail Stores and those not even work...

    I will be concern if this method can decrypt my data (which is the priority) while using FileVault but it can’t. 

    Haha robbers doesn’t need “perfectly legit reasons” to keep doing illegal things. As soon as they see an  Apple product you are a target. They don't go like oh thats is a macbook pro with a T2 chip inside, I am interested. 
    razorpitronnspock1234watto_cobrakillroy
  • Reply 19 of 58
    I have a 16” MacBook Pro, intel+T2. Somehow, this “vulnerability” and “threat” is not something I would spend time to worry about. 

    Anyone with enough skills and desire to get in on any system can and will do it regardless of vulnerabilities. 

    As an “average user,” this threat is as if it doesn’t exist. 
    Dogpersonronnkurai_kagespock1234watto_cobraentropyskillroy
  • Reply 20 of 58
    bonobobbonobob Posts: 295member
    longpath said:
    I’m more interested in whether Apple will take this wake up call, and take steps to prevent such a blunder with the forthcoming Apple Silicon systems.
    The problem is already fixed in the A12 chip and beyond, so it's unlikely Apple will reintroduce the bug in their ARM Macs.  Their developers' edition has an A12Z, so even it should be immune.
    DogpersonronnRayz2016avon b7jdb8167spock1234mknelsoncgWerkswatto_cobrakillroy
Sign In or Register to comment.