Apple's T2 Chip Has Unpatchable Security Flaw, Claims Researcher [Updated]

[Chris.J]

Imagine you were a dodgy Chinese manufacturer of innocent hardware (perhaps a mouse / keyboard) that plugged in via USB-C but contained hidden firmware to jailbreak the T2 chip, inject code into the OS and create a botnet of pwned T2 macbooks.

Still think it would be impossible without having access to the machine? 🤔

 

[canned_tuna_og]

As if the kernel panics it's causing weren't bad enough. The whole existence of the T2 Chip is one big unfixable flaw that belongs in the Mac graveyard together with the butterfly keyboard and Touch Bar. And while spending time in there, let's bring back MagSafe from the dead, shall we?

The Mac has been on a slow death spiral since Tim took over and I doubt it will ever get better

I'm alone in liking the butterfly keyboard and touchbar, but I agree that MagSafe was safe (especially around children!) and the current configuration is Cook guaranteeing Genius Bar revenue.
Sometimes I don't recognize Apple post-Jobs. Software is buggy. Hardware is questionable. If Jobs were alive in 2020 we would be on to the next great thing and the MacBook and iPhone would be history. Cook is a software/subscription guy who belongs in the marketing dept.

 

[Plutonius]

Who the heck shuts off their laptop when not using it instead of just closing the lid?

I do.

Because of flexgate on my MacBook Pro, I shut my screen as little as possible.

 

[fishmoose]

Who the heck shuts off their laptop when not using it instead of just closing the lid?

I'd turn that question around - why not turn it off when booting is so fast nowadays?

 

[amartinez1660]

Let's revisit that statement in a year or two, once Apple Silicon becomes a reality on Macs. Most likely it's going to be more like “Apple devices are trivial to crack, unlike a PC or Android phone”.

I have heard this for the last 15 years. “Sure Macs are harder to crack, let’s wait a year and talk again”.
Years passed, CPU and other major architectures have changed, the platform expanded to phone iOS, tvOS, iPadOS which are all based on Mac’s OS, ANOTHER big hardware transition is about to happen and here we are: “sure, but that’s today, let’s wait another year and talk again”.

For what is worth, one day it will be the right sentence to say, maybe in 1 or 100 years of saying the same thing it will be right for once. Make sure to bet really hard on that one instance.

 

[fishkorp]

Again, no numbers.
If you're not going to come back with at least a goods guess of the number of serious exploits against number of chips releaased by Apple vs Apple, don't bother.

He/she doesn’t have to give you numbers, they told you without an actual number. Nearly every CPU made in 2018 or earlier that uses branch prediction (across all brands) was vulnerable. So at time of discovery, that was near 100% of Intel chips. Not 0.33% like your example. And it impacts a lot more than just PCs. Literally any piece of hardware in the last 3+ decades that has an intel chip (or AMD, or some ARM, etc)

 

[dewalt]

Some people jumping to conclusions here. It seems more theoretical.

Now, the blog says it's using a vulnerability that was found in the A10 on iPhone 7. Presumably Apple knows about this. If so, did anyone connect the dots and say .... this could affect Macbooks?

I think we need to wait for Apple's response here. Something doesn't add up.

 

[mguzzi]

Requires physical access to the machine and the user to enter the decryption password. Yes it's a vulnerability but it would take a lot of insider effort to exploit it.

 

[H2SO4]

He/she doesn’t have to give you numbers, they told you without an actual number. Nearly every CPU made in 2018 or earlier that uses branch prediction (across all brands) was vulnerable. So at time of discovery, that was near 100% of Intel chips. Not 0.33% like your example. And it impacts a lot more than just PCs. Literally any piece of hardware in the last 3+ decades that has an intel chip (or AMD, or some ARM, etc)

No they didn't. That's what I asked for - If they couldn't answer it then say so.
Also who cares what else it afects. If the chip is in a toaster and I don't have a toaster it doesn't affect me.

Numbers give some context. If every CPU made is affected then say so. If only one CPU was made then there is no context, (I'm talking CPU types not individual units but both metrics are helpful).
You've completely gone off and focused on 0.33% and only one year.
Here is the OPs quote;

"How many exploits and hacks have we seen on Intel/AMD chips? How many on non-Apple ARM? How many on support chips (SSD-controllers, WIFI/4G-modems)?
How many in Win/Android vs macOS/iOS?
In the end nothing is ever gonna be 100% safe for ever, but so far Apple's track record is quite good."

No numbers and no dates. So I asked for more info.

 

[jicon]

For the benefit for me- the consumer; and Mac shops that can do board repair... get rid of the T2 chip. Or any other chip in a cable, battery... Give me back the ability to get my machine repaired through alternate means.

 

[DStaal]

Imagine you were a dodgy Chinese manufacturer of innocent hardware (perhaps a mouse / keyboard) that plugged in via USB-C but contained hidden firmware to jailbreak the T2 chip, inject code into the OS and create a botnet of pwned T2 macbooks.

Still think it would be impossible without having access to the machine? 🤔

That still actually counts as physical access.

But really - if you're going that far, why use this? A keyboard plugged into the machine with malicious hardware could already contain a keylogger and a executable program that would get you access to the machine without it. (And would likely work on more than just Apple devices.)

Yes this is a vulnerability, and yes it should be addressed - but I'm having a hard time seeing when it's a useful vulnerability to anyone. The conditions appear to be that you have to insert hardware while the machine is on, then have someone log in without turning it off - and it only works until they turn it back off if the hardware is removed. A keylogger or some more standard trojan is a far more useful attack. About the only useful scenario would be a spy trying to get temporary access to unencrypted files - and even then, a timed trojan is likely more useful.

 

[mono1980]

Let's revisit that statement in a year or two, once Apple Silicon becomes a reality on Macs. Most likely it's going to be more like “Apple devices are trivial to crack, unlike a PC or Android phone”.

Riiiight.... that's laughable.

 

[skinned66]

Two wrongs don't make a right. You can point to flaws of others until your fingers are blue, but that does not take away the flaw in the T2 chip.

One of the flaws is in a computer's brain - a necessary component and the other is in a chip that didn't have a reason to exist until Apple came up with one (i.e. to lock out third-parties, among other things.)

So while I completely agree I think Apple's is a bit more egregious, severity notwithstanding.

 

[otternonsense]

I'm alone in liking the butterfly keyboard and touchbar, but I agree that MagSafe was safe (especially around children!) and the current configuration is Cook guaranteeing Genius Bar revenue.
Sometimes I don't recognize Apple post-Jobs. Software is buggy. Hardware is questionable. If Jobs were alive in 2020 we would be on to the next great thing and the MacBook and iPhone would be history. Cook is a software/subscription guy who belongs in the marketing dept.

Yes. Thank you! Apple of 2020 just coasts by with “good enough”, and we’ve all seen Apple to be better than that.

 

[Unregistered 4U]

Is my MacBook still secure if someone steals it from my room whilst I'm away and it's switched off - the answer appears to be yes. I'm not really clear that it's actually a big deal as you need to run the compromise with device on, which would imply you've compromised the user account and have access to the data anyway.

So, I’m NOT a security researcher, but once someone has PHYSICAL access to your computer, all bets are off. This report is for THIS exploit, but there are both tangentially related unknown exploits AND completely unrelated KNOWN exploits that this security researcher doesn’t refer to and this article doesn’t mention.

Seeing as how truly remote exploits (that don’t require user intervention) are found/reported less and less, it appears that most exploits now either require physical access OR requires the user to provide elevated privileges. That should be something listed in the very top of any story ABOUT exploits.

 

[otternonsense]

the Mac is slowly dying because Steve Jobs said it would. He predicted consumers and industry would be moving to mobile devices.
So the person you should be mad at is Steve Jobs.... not Tim

Not really. The demand is there. The Mac is slowly dying because Cupertino is delivering wonkier Macs with absent macOS QA, while Apple's marketing is busy asking "what is a computer" without giving a resolute answer themselves.

 

[skinned66]

LOL ok, Tim. That's exactly what I'm working for, to waste on a new workstation iteration annually.

Reduce, Reuse, Recycle

We're a green company, baby!

 

[Unregistered 4U]

And what happens until then? Are we just supposed to just keep buying new Macs with each generation until the next one gets it right, like the whole spiel with the Butterfly keyboard? Wouldn't that be a dream for Tim.

No, NEVER buy a product you don’t want. Ever. It’s a mistake on SO many levels.

 

[BGPL]

"Hofmans says he has reached out to Apple about the exploit but is still awaiting a response."

They're figuring out who's wrists are going to be lopped off for this before they respond.

 

[BGPL]

Who the heck shuts off their laptop when not using it instead of just closing the lid?

Ultra security minded people or someone with something big to hide. The private key resides in memory until the device is shut off. If you have any hope of defeating a powered-on device, you must first capture the RAM to external memory. Can't do that if it's powered off. That being said, not a single computer of mine has been powered off, ever.

 

[Ethosik]

Another reason why Apple Silicon is a horrible idea. Apple isn't ready, willing, or able to do the groundwork necessary to keep their chips secure. Get used to the Mac going from one of the most secure platforms out there to being ridden with horrible, unpatchable bugs and security exploits.

It's one thing when you can make the OS a walled garden, like with iOS. When you can control the software, you don't need to worry about the hardware being buggy. But unless we're going to have the Mac App Store be the only source for Mac apps, get used to having your computer pwned on a daily basis once Apple Silicon is a reality.

Macs are not the most secure platform just by architecture. The reason people go for Windows for malware is due to marketshare. That is all. If macs had 90% marketshare they would have the same level of threats and malware as Windows does. Unix might be a slight advantage, but anyone that thinkgs if Macs have 90% marketshare and are still more secure than windows don't understand a few things.

 

[magbarn]

Wonderful, so we put up with soldered SSDs "with enchanted security" for this crap?

 

[cmaier]

 

[CJ Dorschel]

Gatekeeper, SIP, dual locked volumes in Catalina, SSV in Big Sur - all easily bypassed by either terminal commands by the user or exploits. Now the sec in T2 chips can be bypassed with a cable and jailbreak exploit.

Seems the more security Apple adds to their OS and hardware the more complicated it becomes for developers to adapt as root volume for third party apps such as TotalSpaces is further locked down, Mac’s with T2 chips require more work to fix should they crash, boot SSD’s are non-user replaceable, and now T2 chips have a security flaw that can’t be patched.

Sometimes, it’s best to keep things simple that can be fixed on the software end rather than throwing out more ”security“ updates with each annual release that don‘t seem to be as effective as Apple claims. I’m sensing a lot of marketing smoke and mirrors in security claims for the average user when they really aren’t the great achievements Apple claims. OS X has always been a much more secure system over Windows due to its XNU mach kernel base system. No OS is ever 100% secure, that’s impossible, yet sometimes adding more “features” for the sake of it instead of focusing on strengthening already existing systems simply complicates matters.

The T2 chip always seemed more of a gimmick and a push by Apple to lock OS X/macOS to Apple hardware as Hackintosh systems were growing in popularity due to Apple’s move away from affordable tower systems such as the [now] $6000 base model Mac Pro.

 

[cmaier]

Imagine you were a dodgy Chinese manufacturer of innocent hardware (perhaps a mouse / keyboard) that plugged in via USB-C but contained hidden firmware to jailbreak the T2 chip, inject code into the OS and create a botnet of pwned T2 macbooks.

Still think it would be impossible without having access to the machine? 🤔

I think you’d notice if you plugged something in and it caused a reboot into dfu mode. And whatever code was injected wouldn’t survive reboot.