Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Apple's T2 Chip Has Unpatchable Security Flaw, Claims Researcher [Updated]

MacRumors

macrumors bot
Original poster
Apr 12, 2001
50,432
11,816


Intel Macs that use Apple's T2 Security Chip are vulnerable to an exploit that could allow a hacker to circumvent disk encryption, firmware passwords and the whole T2 security verification chain, according to team of software jailbreakers.


Apple's custom-silicon T2 co-processor is present in newer Macs and handles encrypted storage and secure boot capabilities, as well as several other controller features. In a blog post, however, security researcher Niels Hofmans notes that because the chip is based on an A10 processor it's vulnerable to the same checkm8 exploit that is used to jailbreak iOS devices.

This vulnerability is reportedly able to hijack the boot process of the T2's SepOS operating system to gain access to the hardware. Normally the T2 chip exits with a fatal error if it is in Device Firmware Update (DFU) mode and it detects a decryption call, but by using another vulnerability developed by team Pangu, Hofmans claims it is possible for a hacker to circumvent this check and gain access to the T2 chip.

Once access is gained, the hacker has full root access and kernel execution privileges, although they can't directly decrypt files stored using FileVault 2 encryption. However, because the T2 chip manages keyboard access, the hacker could inject a keylogger and steal the password used for decryption.

According to Hofmans, the exploit can also bypass the remote device locking function (Activation Lock) that's used by services like MDM and FindMy. A firmware password won't help prevent this either because it requires keyboard access, which requires the T2 chip to run first.

For security reasons, SepOS is stored in the T2 chip’s read-only memory (ROM), but this also prevents the exploit from being patched by Apple with a software update. On the plus side, however, it also means the vulnerability isn't persistent, so it requires a "hardware insert or other attached component such as a malicious USB-C cable" to work.

Hofmans says he has reached out to Apple about the exploit but is still awaiting a response. In the meantime, average users can protect themselves by keeping their machines physically secure and by avoiding plugging in untrusted USB-C cables and devices.

Lastly, the researcher notes that upcoming Apple Silicon Macs use a different boot system, so it's possible that they won't be impacted by the vulnerability, although this is still being actively investigated.

Update: The original report incorrectly referred to Niels Hofmans as the cybersecurity expert who carried out the research. Hofmans is in fact an industry consultant who provided impact analysis of the T2 and checkm8. This has now been corrected.

Article Link: Apple's T2 Chip Has Unpatchable Security Flaw, Claims Researcher [Updated]
 
Last edited:
  • Like
Reactions: Regbial and adib

ytk

macrumors regular
Jul 8, 2010
244
-40
Another reason why Apple Silicon is a horrible idea. Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure. Get used to the Mac going from one of the most secure platforms out there to being ridden with horrible, unpatchable bugs and security exploits.

It's one thing when you can make the OS a walled garden, like with iOS. When you can control the software, you don't need to worry about the hardware being buggy. But unless we're going to have the Mac App Store be the only source for Mac apps, get used to having your computer pwned on a daily basis once Apple Silicon is a reality.
 
Comment

Bug-Creator

macrumors 6502a
May 30, 2011
704
3,167
Germany
Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure.

How many exploits and hacks have we seen on Intel/AMD chips? How many on non-Apple ARM? How many on support chips (SSD-controllers, WIFI/4G-modems)?

How many in Win/Android vs macOS/iOS?

In the end nothing is ever gonna be 100% safe for ever, but so far Apple's track record is quite good.
 
Comment

Kung gu

macrumors 6502
Oct 20, 2018
375
542
Another reason why Apple Silicon is a horrible idea. Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure. Get used to the Mac going from one of the most secure platforms out there to being ridden with horrible, unpatchable bugs and security exploits.

It's one thing when you can make the OS a walled garden, like with iOS. When you can control the software, you don't need to worry about the hardware being buggy. But unless we're going to have the Mac App Store be the only source for Mac apps, get used to having your computer pwned on a daily basis once Apple Silicon is a reality.
umm, have you seen or heard about intel exploits...
 
Comment

twistedpixel8

macrumors 6502
Jun 9, 2017
394
1,179
How many exploits and hacks have we seen on Intel/AMD chips? How many on non-Apple ARM? How many on support chips (SSD-controllers, WIFI/4G-modems)?

How many in Win/Android vs macOS/iOS?

In the end nothing is ever gonna be 100% safe for ever, but so far Apple's track record is quite good.

Well yes but on a chip whose sole purpose is security...? That’s not great is it.
 
Comment

ytk

macrumors regular
Jul 8, 2010
244
-40
How many exploits and hacks have we seen on Intel/AMD chips? How many on non-Apple ARM? How many on support chips (SSD-controllers, WIFI/4G-modems)?

How many in Win/Android vs macOS/iOS?

In the end nothing is ever gonna be 100% safe for ever, but so far Apple's track record is quite good.

If it's a problem with an industry-standard chip, it affects the entire industry—thus there is a major incentive to get it fixed right away. Major time and money would be poured into getting that problem fixed ASAP. If it only affects Macs, and Apple can't or won't fix it, guess what? You're screwed. There's literally nobody else to blame or take responsibility.

Apple's track record has been good on iOS, where they have essentially 100% control over the software. Let's see what happens when they don't get to say what does and doesn't run on their hardware anymore.
 
Comment

jclardy

macrumors 68040
Oct 6, 2008
3,508
2,426
Another reason why Apple Silicon is a horrible idea. Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure. Get used to the Mac going from one of the most secure platforms out there to being ridden with horrible, unpatchable bugs and security exploits.

It's one thing when you can make the OS a walled garden, like with iOS. When you can control the software, you don't need to worry about the hardware being buggy. But unless we're going to have the Mac App Store be the only source for Mac apps, get used to having your computer pwned on a daily basis once Apple Silicon is a reality.
I guess you already forgot about Meltdown and Spectre? Intel has been shipping vulnerable chips for years.
 
Comment

otternonsense

macrumors 68000
Jul 25, 2016
1,836
5,380
Berlin
As if the kernel panics it's causing weren't bad enough. The whole existence of the T2 Chip is one big unfixable flaw that belongs in the Mac graveyard together with the butterfly keyboard and Touch Bar. And while spending time in there, let's bring back MagSafe from the dead, shall we?

The Mac has been on a slow death spiral since Tim took over and I doubt it will ever get better
 
Comment

Kung gu

macrumors 6502
Oct 20, 2018
375
542
As if the kernel panics weren't bad enough. The whole existence of the T2 Chip is one big unfixable flaw that belongs in the Mac graveyard together with the butterfly keyboard and Touch Bar. And while spending time in there, let's bring back MagSafe from the dead, shall we?

The Mac has been on a slow death spiral since Tim took over and I doubt it will ever get better

Having an Intel CPU and an ARM chip (T2) is not good, causes bugs and whatnot

ARM Macs will incorporate the T2 chip functionality into the SoC, making the Mac more stable.
 
Comment

Bug-Creator

macrumors 6502a
May 30, 2011
704
3,167
Germany
If it's a problem with an industry-standard chip, it affects the entire industry—thus there is a major incentive to get it fixed right away. Major time and money would be poured into getting that problem fixed ASAP. If it only affects Macs, and Apple can't or won't fix it, guess what? You're screwed. There's literally nobody else to blame or take responsibility.

If a problem exist at such a low level "industry standard chip" noone will be able to fix it, so you'd be just as screwed.
 
Comment

ytk

macrumors regular
Jul 8, 2010
244
-40
did u miss the part where I said this is fixed in the A12 and intel chips have even worse security issues..

If Intel's chips have security issues, they affect literally the entire industry. They damn well better get them fixed ASAP, or they have much bigger problems than squashing a bug—like major lawsuits that could put them out of business.

Apple can, will, and has said to its customers that they are SOL and just need to upgrade if they want to get an issue fixed. That's just the reality of living with Apple Silicon. They control literally everything from top to bottom, and if they decide an issue isn't worth fixing because they would make more money by forcing everyone to upgrade, well, that's what happens.
 
Comment

Kung gu

macrumors 6502
Oct 20, 2018
375
542
Comment

ytk

macrumors regular
Jul 8, 2010
244
-40
I guess you already forgot about Meltdown and Spectre? Intel has been shipping vulnerable chips for years.

And yet those exploits get fixed or patched, because if they didn't bother with it there is always a competitor nipping at their heels, not to mention a bunch of lawsuits waiting for them.

Apple's response: You decided to jailbreak your Mac? That's on you then if you want to run software we didn't tell you that you were allowed to run on OUR hardware.

That's already their response for iOS, why not for MacOS as well?
 
Comment

JonaM

macrumors newbie
Sep 26, 2017
24
41
So it's a non-persistent vulnerability that needs malicious hardware plugged in to keep working. TBH if you have malicious hardware plugged in then you've already got a major problem.

Is my MacBook still secure if someone steals it from my room whilst I'm away and it's switched off - the answer appears to be yes. I'm not really clear that it's actually a big deal as you need to run the compromise with device on, which would imply you've compromised the user account and have access to the data anyway.
 
Comment

ytk

macrumors regular
Jul 8, 2010
244
-40
So it's a non-persistent vulnerability that needs malicious hardware plugged in to keep working. TBH if you have malicious hardware plugged in then you've already got a major problem.

Is my MacBook still secure if someone steals it from my room whilst I'm away and it's switched off - the answer appears to be yes. I'm not really clear that it's actually a big deal as you need to run the compromise with device on, which would imply you've compromised the user account and have access to the data anyway.

Who the heck shuts off their laptop when not using it instead of just closing the lid?
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.