Apple's T2 Mac Security Chip Infiltrated By Unpatchable Root Access Exploit

Apple T2 Chip
Cupertino, we may have a problem. A researcher claims Apple's T2 security chip is vulnerable to an exploit that, if leveraged, would give an attacker full root access and kernel execution privileges. Normally this sort of thing would necessitate fast tracking a security patch, except for one very big problem—it is an "unpatchable" security flaw, the researcher says. Ruh-roh, Shaggy.

Apple describes the T2 co-processor as "your own private security detail," further noting that it "provides the foundation for secure boot and encrypted storage capabilities" on systems where it is deployed. It is found in several systems, including the following models...
  • iMac introduced in 2020
  • iMac Pro
  • Mac Pro introduced in 2019
  • Mac mini introduced in 2018
  • MacBook Air introduced in 2018 or later
  • MacBook Pro introduced in 2018 or later
If in doubt on your own Mac system, you can use System Information to find out (press and hold the Option key while choosing Apple menu > System Information, then in the sidebar, select either Controller or iBridge, depending on the version of macOS in use, and see if "Apple T2 chip" is listed on the right).

Apple iMac

An unpatchable flaw in a security chip is cause for concern, though for the average user, there is no need to mash the panic button. Why not? For the simple fact that exploiting the vulnerability requires physical access to the target system. This is not something that an attacker can exploit remotely, so someone would need to be hyper-motivated to go this route.

That said, it is still an interesting flaw. Security researcher Niels Hofmans detailed the vulnerability in a blog post, noting that the mini operating system on the T2 chip (SepOS) suffers from the same flaw as found in the iPhone 7, since it contains a processor based on the iOS A10.

This particular attack combines a pair of other exploits used to jailbreak iOS devices, those being Checkm8 and Blackbird. Using this method, an attacker could create a USB-C cable that is capable of automatically exploiting a vulnerable macOS device during the boot routine.

"Once you have access on the T2, you have full root access and kernel execution privileges since the kernel is rewritten before execution. Good news is that if you are using FileVault2 as disk encryption, they do not have access to your data on disk immediately. They can however inject a keylogger in the T2 firmware since it manages keyboard access, storing your password for retrieval or transmitting it in the case of a malicious hardware attachment," Hofmans explains.

Note that a firmware password does not protect against this because that requires keyboard access, and therefore needs the T2 chip to run first. Do'h! The researcher also claims there is reason to be very concerned about this whole situation, even though this is not a remote attack situation.

"If the attacker is able to alter your hardware (or sneak in a malicious USB-C cable), it would be possible to achieve a semi-tethered exploit. While this may not sound as frightening, be aware that this is a perfectly possible attack scenario for state actors. I have sources that say more news is on the way in the upcoming weeks. I quote: be afraid, be very afraid," Hofsmans says.

Anyone worried about this should be careful not to leave their Mac system in a place or situation where someone might have easy access to it. Everyone else can take a deep breath and carry on.