Researchers Demonstrate Apple T2 Security Chip Root Access Vulnerability Via USB-C Port
Last week, a security researcher team claimed Apple’s T2 security chip onboard many Macs was vulnerable to an exploit that could not be patched. This exploit would give an attacker full root access and kernel execution privileges. Now, another group has showcased a real-world method of this attack over USB-C.
Apple’s devices all have a debug tool that is created in-house for diagnosing issues with the OS. These can sometimes be leaked or reverse engineered so that users can jailbreak devices. With the exploit reported last week, attackers would use the checkm8/checkra1n exploit along with the blackbird vulnerability while in device firmware update (DFU) mode to get into a system.
Now, the T2 Development Blog team has done some digging into the USB-C port on Mac devices. They found that one USB-C port is shared with the CPU and T2 chip with DFU mode, and this sort of overlap can be dangerous. It was discovered that messages could be sent over USB-C to the device to put the T2 chip into DFU mode to start the attack process. With this knowledge, the group subsequently made a special device the size of a power charger to “place a T2 into DFU mode, run checkra1n, replace the EFI and upload a key logger to capture all keys.” They show how quickly and easily this auto-jailbreak is in the video below.
In another video, they show the firmware's modification to change the boot logo for the device. All of this was performed with a device the team will sell for $49.99 starting in November for “experimenting.”
While this issue can be a concern for the average user, you can avoid problems by not leaving your devices accessible by unsavory individuals. It will be interesting to see if Apple has a response to these revelations. In any case, keep an eye on HotHardware for updates on the situation as they develop.