Apple's T2 Security Chip Vulnerable to Attack Via USB-C

[DanTheMan827]

Scary to think that a device could be made allowing someone to walk around and plug it into random macs and instantly gain what amounts to root access in a few seconds.

Does the T2 chip also have access to the internet?

 

[Zeroshiftfactor]

How do you pull mass product recall out of an exploit that needs direct access to the hardware? There will always be exploits in hardware and software. Next up you'll be calling for a class action nonsense.

Absolutely. Apple failed yet once again at chip design. Fail, fail, fail. And we know the real reason why the T2 was put in the first place: to prevent third-party repairs of a flawed Mac design.

but but but AS won’t need the T2! Oh yeah? I say BS, pure and simple. Macs will continue to require T2. A MacRumors member said so.

 

[chrfr]

Might be built in with the same vulnerability though.

The T2 is based on the A10 processor- the vulnerability in play here is not exposed in the latest few versions of A-series CPUS.

 

[jz0309]

As long as software is written by humans...
So if I understand correct, this attack is only possible on boot, not waking up from sleep, and, the hacker must be present while the bad cable is also attached, but to what? I’m not trying to downplay, but seems only possible with physical access which would be easier to manage/protect against...

 

[diego.caraballo]

We all know the first priority was thwarting third party repair attempts. Working at the Genius Bar, the T2 chip was the biggest pain in my ass.

Exactly! Moving the SMC inside the T2 together with the custom USB-C controller chips used in 2019+ models are a well studied blow to 3rd party board repairs. Customers wouldn’t care since they will learn that they need to pay for AppleCare from now on, but lot of business will be hurt.

 

[DanTheMan827]

I don't understand how this works. Where is the keyloigger installed? Wouldn't a power-off / reboot flush it out?

The T2 chip doesn't always reboot when the computer does.

 

[citysnaps]

Once access is gained, the hacker has full root access and kernel execution privileges, although they cannot directly decrypt files stored using FileVault 2 encryption. However, because the T2 chip manages keyboard access, the hacker could inject a keylogger and steal the password used for decryption.

After a "hacker" gains physical access to your computer (at your home or workplace) when you're not around, and installs a keylogger in order to later on snag a password to subsequently decrypt FileVault encrypted files...then what? The hacker leaves the premises and comes back a week later to read out the key-logged password and then can decrypt your FileVault encrypted files?

 

[farewelwilliams]

And what are we gonna do until then? If this is an unfixable, unpatchable possible exploit, isn't it grounds for a mass product recall?

then we should place all of our trust in intel. right? RIGHT?

 

[DanTheMan827]

As long as software is written by humans...
So if I understand correct, this attack is only possible on boot, not waking up from sleep, and, the hacker must be present while the bad cable is also attached, but to what? I’m not trying to downplay, but seems only possible with physical access which would be easier to manage/protect against...

This shows them plugging in a cable to a powered on, but locked mac and it injecting the payload.

Physical access is required, but how easy would it be for someone to walk around some place that has macs and plug in a device for a few seconds while no one is looking?

 

[gridlocked]

I barred the 'evil maid' from entering my home unattended some years ago.

Business cases though are another story. The 'evil janitorial' spies are everywhere.

 

[Jerry Fritschle]

I don't understand how this works. Where is the keyloigger installed? Wouldn't a power-off / reboot flush it out?

From my understanding, the answer is "yes". Real mischief requires not only breaking in, but coming back to see what the user has done since--without a reboot in the meantime.

 

[now i see it]

Planned obsolescence. It just so happens to be that the ARM macs won't have this problem. Peculiar isn't it

 

[xgman]

The T2 chip causes too many problems already. Our shop sees too many with filevault corruption, or needing to reflash the chip which takes 3-5x even though it states it is successful.

I already turn all the T2 functions off. Still occasionally see bridgeos crashes.

 

[btrach144]

And what are we gonna do until then? If this is an unfixable, unpatchable possible exploit, isn't it grounds for a mass product recall?

Unless you work for the government, probably not.

 

[PBG4 Dude]

This shows them plugging in a cable to a powered on, but locked mac and it injecting the payload.

Physical access is required, but how easy would it be for someone to walk around some place that has macs and plug in a device for a few seconds while no one is looking?

Back in the early days of the apple store, people would connect their iPods to apple store computers in order to make copies of the software on the demo machines.

 

[appleguy123]

Could Apple patch it by sending Mac Users a USB thumb drive with the patch on it using this exploit to gain access? It doesn’t seem like it would be that expensive for them to do so if it’s technically possible.

 

[Psychicbob]

If we can upgrade to the T1000 quickly, at least then your Mac will blow the head off any hacker attempting to connect a USB-C cable.

 

[mtneer]

Could be a master stroke from Apple to push faster upgrades to the upcoming Apple Silicon.

 

[slineaudi]

It's possible but what is probable? If someone did have physical access to my Mac and could install this would they need physical access a second time to retrieve keystrokes and then more time with my computer to download or decrypt data? Sounds like a potentially serious vulnerability but limited real world use.

 

[Lucifer666]

At least now I'll know how they got in and ruined my life. Good to know. It's the uncertainty that is hard.

Closure.

I wonder if I can get these cables on Amazon with my Prime Day discount?

 

[jz0309]

This shows them plugging in a cable to a powered on, but locked mac and it injecting the payload.

Physical access is required, but how easy would it be for someone to walk around some place that has macs and plug in a device for a few seconds while no one is looking?

Thanks, watched the video and read the linked article ... so you need a power brick sized special device to initiate this. And I understand that this action actually reboots the T2 chip which seems odd that it can be rebooted while the Mac is running, but so be it.
Will be interesting to see Apple's response ...

 

[Doomtomb]

Complete the trilogy: cue T3.

 

[chrfr]

I already turn all the T2 functions off.

It's impossible to turn off the T2's functions. It's still doing a lot of things even if you've lowered the boot security features to the minimum.

 

[CJ Dorschel]

This raises another question for me:

As iOS devices can be jailbroken, how secure will arm-based Mac’s be moving forward?

I realize this is dependent upon the operating system and macOS is not iOS. Yet years of jailbreaking arm-based devices has shown the architecture may not be as secure as Intel CPUs.

I realize this is hypothetical and there are many more factors involved than jailbreaking an iPhone thus I am merely asking anyone with more knowledge if this is a legitimate issue.

 

[HiVolt]

We all know the first priority was thwarting third party repair attempts. Working at the Genius Bar, the T2 chip was the biggest pain in my ass.

Hopefully this is exactly what this hack accomplishes, is create tools for independent repair shops that will now be able to repair T2 Macs.

But I imagine Apple will find a way to detect that the repairs were done in an "unauthorized way", and blacklist those Macs from running the OS, or getting updates, or brick them alltogether - like they have with iPhones.