Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Apple's T2 Security Chip Vulnerable to Attack Via USB-C

macdos

macrumors 6502
Oct 15, 2017
417
659
If anyone has physical access to your mac, they will be able to install any kind of key logger. T2 isn't needed.

And if you haven't enbled Filevault, you are not really that concerned about anyone accessing your files.
 

ikramerica

macrumors 6502
Apr 10, 2009
485
466
I don't understand how this works. Where is the keyloigger installed? Wouldn't a power-off / reboot flush it out?
Yes. A reboot fixes it unless the device is still connected. And it’s a device, not just a cable. The cable allows the device to do what it wants to do.
Big question: does it bypass password login? If not, it requires this thing to be discretely connected directly to the usb-c on the computer and the owner not noticing. Or if I am missing something?
 
  • Like
Reactions: adrianlondon

The Cappy

macrumors 6502
Nov 9, 2015
347
616
Dunwich Fish Market
The vulnerability might be unpatchable, but for that same reason, the exploit cannot be permanent either. Restarting the computer removes it. Presumably it would be possible for it to install a keylogger which might persist, but then you could presumably then detect and remove that keylogger.
 

poorcody

macrumors 6502a
Jul 23, 2013
896
764
So if my MacBook is lost or stolen, the thief still won't be able to access my files because they are encrypted with FileVault?
 

adrianlondon

macrumors 68030
Nov 28, 2013
2,730
2,709
Switzerland
Yes. A reboot fixes it unless the device is still connected. And it’s a device, not just a cable. The cable allows the device to do what it wants to do.
Big question: does it bypass password login? If not, it requires this thing to be discretely connected directly to the usb-c on the computer and the owner not noticing. Or if I am missing something?
It doens't so much bypass login as run before the login prompt is shown.
 

magbarn

macrumors 68020
Oct 25, 2008
2,435
1,586
Hopefully this is exactly what this hack accomplishes, is create tools for independent repair shops that will now be able to repair T2 Macs.

But I imagine Apple will find a way to detect that the repairs were done in an "unauthorized way", and blacklist those Macs from running the OS, or getting updates, or brick them alltogether - like they have with iPhones.
What repairs other than keyboard/screen? Everything else is soldered into the logic board. Most shops do not have the capability of replacing soldered SSD flash chip.

Another thing is that previously a stolen password protected macbook would be useless and couldn't be used by another party without replacing logic board if there was a boot password. Now that's easily by-passable.
 

ikramerica

macrumors 6502
Apr 10, 2009
485
466
Thanks, watched the video and read the linked article ... so you need a power brick sized special device to initiate this. And I understand that this action actually reboots the T2 chip which seems odd that it can be rebooted while the Mac is running, but so be it.
Will be interesting to see Apple's response ...
Seems like the response could be “if T2 reboots, OS locks up?” So basically have the device kernel panic on T2 reboot?
 
  • Like
Reactions: otternonsense

otternonsense

macrumors 68000
Jul 25, 2016
1,849
5,409
Berlin
Unless you work for the government, probably not.

I do work for a company that takes security very seriously and also manages government accounts.
[automerge]1602607765[/automerge]
Tell that same thing to Intel before you start throwing stones only at Apple.

then we should place all of our trust in intel. right? RIGHT? :rolleyes:

Why do you have to shoehorn another manufacturer? To deflect? I don't care about intel, I care about my MBP 16" workstation.
 

MallardDuck

macrumors 6502a
Jul 21, 2014
510
892
If they have physical access, it's game over. If they have physical access to a running machine, it's definitely game over. Simple solution to this in the real world: power off the machine before you leave it unattended.
 

MallardDuck

macrumors 6502a
Jul 21, 2014
510
892
Sure, but when it's the chip specifically meant for security, it's kind of a "you had one job!" failure.

Silicon vulnerabilities were a blindspot until Spectre and Meltdown...now everyone's looking for them.

Apple definitely has software quality problems, but no more so than anyone else.
 

Substance90

macrumors 6502
Oct 13, 2011
424
573
The T2 chip causes too many problems already. Our shop sees too many with filevault corruption, or needing to reflash the chip which takes 3-5x even though it states it is successful. I would avoid all the USB-C models as of right now.
As if there weren't enough reasons to avoid those models already.
 
  • Like
Reactions: Nicole1980

MallardDuck

macrumors 6502a
Jul 21, 2014
510
892
The T2 chip causes too many problems already. Our shop sees too many with filevault corruption, or needing to reflash the chip which takes 3-5x even though it states it is successful. I would avoid all the USB-C models as of right now.

So you're not buying macs anymore?
 

ikramerica

macrumors 6502
Apr 10, 2009
485
466
If they have physical access, it's game over. If they have physical access to a running machine, it's definitely game over. Simple solution to this in the real world: power off the machine before you leave it unattended.
Kinda makes the remote work concept difficult to achieve for many people.
[automerge]1602608231[/automerge]
Had Apple protected the T2 with a T3, we would not be here today.
But only if that chip was protected by a T4 chip.
 

RumorConsumer

macrumors 65816
Jun 16, 2016
1,180
642


After it was reported last week that Apple's T2 Security Chip could be vulnerable to jailbreaking, the team behind the exploit have released an extensive report and demonstration.



Apple's custom-silicon T2 co-processor is present in newer Macs and handles encrypted storage and secure boot capabilities, as well as several other controller features. It appears that since the chip is based on an Apple A10 processor, it is vulnerable to the same "checkm8" exploit that has been used to jailbreak iOS devices.

The vulnerability allows for the hijacking of the T2's boot process to gain access to the hardware. Normally the T2 chip exits with a fatal error if it is in Device Firmware Update (DFU) mode and it detects a decryption call, but by using another vulnerability developed by team Pangu, it is possible for a hacker to circumvent this check and gain access to the T2 chip.

Once access is gained, the hacker has full root access and kernel execution privileges, although they cannot directly decrypt files stored using FileVault 2 encryption. However, because the T2 chip manages keyboard access, the hacker could inject a keylogger and steal the password used for decryption. It can also bypass the remote Activation Lock used by services such as MDM and Find My. A firmware password does not prevent this since it too requires keyboard access, which requires the T2 chip to run first.

The exploit can be achieved without user interaction and simply requires a modified USB-C cable to be inserted. By creating a specialized device "about the size of a power charger," an attacker can place a T2 chip into DFU mode, run the "checkra1n" exploit, upload a key logger, and capture all keys. macOS can be left unaltered by the jailbreak, but all keys can still be logged on Mac laptops. This is because MacBook keyboards are directly connected to the T2 and passed through to macOS.



A practical demonstration shows checkra1n being run over USB-C from a host device. The targeted Mac simply displays a black screen while the connected computer confirms that the exploit was successful.

These cables function by allowing access to special debug pins within a USB-C port for the CPU and other chips that are usually only used by Apple.

Apple has not fixed the security flaw and it appears to be unpatchable. For security purposes, the T2's SepOS custom operating system is stored directly in the chip's SEPROM, but this also prevents the exploit from being patched by Apple via a software update.

In the meantime, users can protect themselves from the exploit by keeping their Macs physically secure and avoiding the insertion of untrusted USB-C cables and devices.

Article Link: Apple's T2 Security Chip Vulnerable to Attack Via USB-C
Oh for F sake.

"In the meantime, users can protect themselves from the exploit by keeping their Macs physically secure and avoiding the insertion of untrusted USB-C cables and devices."

Really helpful. Thanks. I hope Apple patches.
[automerge]1602609518[/automerge]
So you're not buying macs anymore?
Right. Avoid USB-C models... so Mid 2015 MacBook Pro...
 

jaytv111

macrumors 6502
Oct 25, 2007
370
159
Yes. A reboot fixes it unless the device is still connected. And it’s a device, not just a cable. The cable allows the device to do what it wants to do.
Big question: does it bypass password login? If not, it requires this thing to be discretely connected directly to the usb-c on the computer and the owner not noticing. Or if I am missing something?

It doesn't bypass encryption, the theory is a keylogger will be used and you will simply type your password in and they could decrypt it later or perhaps get at your online accounts if you reuse your password, etc. Doesn't look like a keylogger has actually been successfully demonstrated though, or if it needs the cable plugged in at all times. Maybe if you leave your laptop around a coffee shop and they replace your cable (and probably charger) and you don't notice it they could get the keylogger put in and steal your laptop from your office or home if you're a high-value target, otherwise probably not a concern for everyone else.
 

bradl

macrumors 601
Jun 16, 2008
4,042
12,357
Apple should release devices without USB. That appears to be the real issue.

Hmm... Got it. Star Trek: The Next Generation, season 2, episode 2: Where Silence has Lease.

Dr. Katherine Pulaski said:
That's like destroying the disease by killing the patient!

You're essentially taking out the attack vector without fixing the source of the vulnerability, which is the T2 chip. Fix that going forward so you don't have that problem with future Macs.

However, this could lead to a recall of those affected Macs so they can be fixed. But taking out the method of which to attack doesn't fix the source of the problem.

BL.
 
  • Like
Reactions: appleuser181

AndiG

macrumors regular
Nov 14, 2008
245
291
Germany
So Apple can throw away the T2 chip and we can finally use standard M2 NVMe SSDs again ...
 

I7guy

macrumors Penryn
Nov 30, 2013
24,289
12,416
Gotta be in it to win it
Hmm... Got it. Star Trek: The Next Generation, season 2, episode 2: Where Silence has Lease.



You're essentially taking out the attack vector without fixing the source of the vulnerability, which is the T2 chip. Fix that going forward so you don't have that problem with future Macs.

However, this could lead to a recall of those affected Macs so they can be fixed. But taking out the method of which to attack doesn't fix the source of the problem.

BL.
It's not as if USB has never been implicated in any type of security vulnerability prior to this.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.