Mac with T2 chip no longer secure with physical access

checkra1n Apple Jailbreak

You should be aware of the fact that your Mac’s T2 security chip is not so secure.

We reported a few days ago that the T2 chip that is responsible for security in Macs was hacked.

The security expert Niels Hofmanns has now analyzed the exact consequences for the end user on his blog in case someone gets physical access to the device.

A10 chip with security issue, firmware access open

The first core problem is that Apple’s T2 chip is based on the old A10 chip from the iPhone 7. This chip has a security hole that was already used for jailbreaks of the mentioned iPhones. The second problem with the T2 chip is that Apple has left a debugging access open, which can be used to simply install a firmware update – without further security mechanisms.

This means that manipulated software can now simply be applied to the T2 chip, which then exploits the existing security hole. Because you can intervene very early in the boot process you have root rights, i.e. you can do almost everything you want to do. For example, the activation lock for stolen devices can be easily removed.

Passwords can be recorded, SSDs can be hacked better

But much worse is that you can now include software parts that are manipulated and should actually be prevented. Any malicious kernel extension that can then find its way into macOS can be installed this way. A possible attack is also the installation of a keylogger, a software that records all keystrokes. Since the T2 chip also connects the keyboard, all passwords are visible.

Since the SSD is also connected via the T2 chip including encryption, we also get problems here: although the SSD is not immediately visible if it is encrypted with Vile Vault, you can now simply try around with brute force (simple trying of passwords) until you find the right one. So hacking the data will be much easier. Or you get the password directly via keylogging.

Tips from the Pro

The part of the software that needs to be fixed is on a ROM area of the T2 chip, so it is read-only. An update is therefore not possible. Only an exchange of the whole board would solve the problem.

The security expert Niels now gives us the following advice

  • Inform others of the problem. Users need to take better care of their devices and prevent physical access.
  • If you have left the device alone and want to be sure, you can reinstall bridgeOS or do a SMC-Reset first.
  • It is still open whether the fingerprints can be read from the chip. The professional advises not to use this function for the time being.

So it is currently possible to interfere with the boot process of your Mac and manipulate the software. It is also easier to hack the SSD encryption. All this requires physical access to your device, so you cannot be hacked remotely. The problem in everyday life will probably be connected devices: You need to be sure that every cable, stick, monitor or SSD is trustworthy – otherwise you might already have a keylogger installed. These are not good prospects.

Apple has no comment on this. If you are on the road with very valuable data on your devices you should still contact Apple and ask for help. Let us know what they say.

Leave a Reply

Your email address will not be published. Required fields are marked *