Security researchers are reporting a significant flaw in Apple’s T2 security chip that has a wide-ranging impact on the MacOS platform, especially the latest MacBook Air and MacBook Pro machines. With the issue located in the read-only memory portion of the T2, the flaw is effectively unpatchable, leaving user data exposed.
As first described by Belgian security firm IronPeak, it is possible to gain control over the core Operating System. This could facilitate data extraction, allow keylogging software or malware to be installed, and any number of other potential uses. The exploit relies on code previously used to jailbreak the iPhone X handsets. Mahit Huilgoi has more details at iPhoneHacks:
“The exploit is called check8 and was developed initially for iPhone X. Interestingly, the iPhone X is powered by A10 processor, and the T2 chip is also modeled after the A10 processor. Typically, the T2 chip throws a fatal error whenever it gets a decryption call. However, the attackers can circumvent the check with the help of a blackbird vulnerability. The worst part is that sepOS/BootROM is Read-Only memory, which means Apple will not be able to patch this without changing the hardware.”
Because of the physical nature of the flaw in the T2 chip – the exploit is in the read-only memory of the chip – this is not a security issue that can be patched by a firmware update. Apple will no doubt be re-engineering the chip so that Macs rolling out of the factory in the near future will have patched hardware.
The physical nature of the exploit also means that any attacker is going to need to physical access to your machine to take control of the T2 chip (although remote programs could be installed so that access may be a one-time requirement). That puts Apple’s mobile Macs at a higher risk, especially the MacBook Pro given its target market is more likely to be carrying sensitive information at a personal, enterprise, or governmental basis while travelling.
The impact on the individual is huge. MacOS, as it stands today, has issues. IronPeak sums up the state of the platform as they see it:
“TL;DR: all recent macOS devices are no longer safe to use if left alone, even if you have them powered down.
“The root of trust on macOS is inherently broken; They can bruteforce your FileVault2 volume password; They can alter your macOS installation; They can load arbitrary kernel extensions; Only possible on physical access.”
As with all flaws, the route to exploit and maintain the attack will define just how serious a threat user data is exposed. Will Strafach, CEO of the security focused GuardianApp system, notes on Twitter some of the limitations that will need to be explored:
“What is proven: with physical access to such a computer and time to reboot into DFU to apply checkm8, one can boot arbitrary code on the T2. What is not proven: any sort of useful persistence. property lists on the Data partition could be modified, which is not great, but there is no evidence yet that one can persist unauthorized code through a full and proper reboot.”
Not discounting the severity of the actual exploit, the perception of the actual exploit may have a larger impact. Apple places great value in its message of security, and providing a safe working environment for consumers using its devices. This is laid out in details through the ‘Apple Platform Security’ section of its website. The existence of a potentially significant security exploit in Mac hardware that users need to be aware of, does not sit easily next to this message.
Apple has been approached for comment.
Now read more about the challenge to Apple’s new ARM-powered world offered by Microsoft’s Surface Pro X…