Researchers Demonstrate Apple T2 Security Chip Root Access Vulnerability Via USB-C Port
Apple’s devices all have a debug tool that is created in-house for diagnosing issues with the OS. These can sometimes be leaked or reverse engineered so that users can jailbreak devices. With the exploit reported last week, attackers would use the checkm8/checkra1n exploit along with the blackbird vulnerability while in device firmware update (DFU) mode to get into a system.
Now, the T2 Development Blog team has done some digging into the USB-C port on Mac devices. They found that one USB-C port is shared with the CPU and T2 chip with DFU mode, and this sort of overlap can be dangerous. It was discovered that messages could be sent over USB-C to the device to put the T2 chip into DFU mode to start the attack process. With this knowledge, the group subsequently made a special device the size of a power charger to “place a T2 into DFU mode, run checkra1n, replace the EFI and upload a key logger to capture all keys.” They show how quickly and easily this auto-jailbreak is in the video below.