Apple’s T2 chip has an unfixable vulnerability that could allow root access

Apple macOS devices with Intel processors and a T2 chip are vulnerable to an unfixable exploit that could give attackers root access, a cybersecurity researcher claims.

The T2 chip, present in most modern macOS devices, is an Apple Silicon co-processor that handles boot and security operations, along with disparate features such as audio processing. Niels H., an independent security researcher, indicates that the T2 chip has a serious flaw that can’t be patched.

According to Niels H., since the T2 chip is based on an Apple A10 processor, it’s vulnerable to the same checkm8 exploit that affects iOS-based devices. That could allow attackers to circumvent activation lock and carry out other malicious attacks.

Normally, the T2 chip will exit with a fatal error if it detects a decryption call when in DFU mode. However, the exploit can be paired with another vulnerability developed by Pangu that can circumvent the DFU exit security mechanism.

Once an attacker gains access to the T2 chip, they will have full root access and kernel execution privileges. Although they can’t decrypt files protected by FileVault encryption, they can inject a keylogger and steal passwords since the T2 chip manages keyboard access.

The vulnerability could also allow for manual bypassing of security locks through MDM or Find My, as well as the built-in Activation Lock security mechanism. A firmware password also doesn’t mitigate the issue, since it requires keyboard access.

Apple also can’t patch the vulnerability without a hardware revision, since the T2’s underlying operating system (SepOS) uses read-only memory for security reasons. On the other hand, that also means the vulnerability isn’t persistent — it’ll require a hardware component, such as a malicious and specially-crafted USB-C cable.

Niels H. said he reached out to Apple to disclose the exploits, but has heard no response. To raise awareness about the issue, he disclosed the vulnerability on his blog.

Who is at risk, and how to protect yourself

According to Niels H., the vulnerability affects all Mac products with a T2 chip and an Intel processor. Since Apple Silicon-based devices use a different boot system, it isn’t clear whether they are also impacted.

Because of the nature of the vulnerability and related exploits, physical access is required for attacks to be carried out.

As a result, average users can avoid the exploits by maintaining physical security, and not plugging in USB-C devices with unverified provenance.

Source link