Apple’s custom silicon T2 co-processor resides in newer Macs and manages encrypted storage and secure startup functions, as well as various other controller functions. Since the chip is based on an Apple A10 processor, it appears to be vulnerable to the same “checkm8” exploit that was used to jailbreak iOS devices.
The vulnerability allows the T2 boot process to be hijacked to gain access to the hardware. Usually the T2 chip will exit with a fatal error when it is in DFU (Device Firmware Update) mode and detects a decryption call. By using another vulnerability developed by Team Pangu, a hacker can bypass this verification and gain access to the T2 chip.
Once accessed, the hacker has full root access and kernel execution privileges, even though he cannot directly decrypt files saved with FileVault 2 encryption. However, since the T2 chip manages keyboard access, the hacker could inject a keylogger and steal the password used to decrypt it. It can also bypass the remote activation lock used by services like MDM and Find My. A firmware password does not prevent this as keyboard access is also required, for which the T2 chip must be executed first.
The exploit can be achieved without user interaction and only requires plugging in a modified USB-C cable. By creating a special device “the size of a charger”, an attacker can put a T2 chip into DFU mode, run the “checkra1n” exploit, upload a key logger and collect all keys. macOS can remain unchanged through the jailbreak, but all keys can still be logged on Mac laptops. This is because MacBook keyboards connect directly to the T2 and pass through to macOS.
A hands-on demonstration shows how checkra1n is performed from a host device over USB-C. The target Mac simply displays a black screen while the connected computer confirms that the exploit was successful.
These cables allow access to special debug pins within a USB-C port for the CPU and other chips normally only used by Apple.
Apple has not fixed the vulnerability and it does not appear to be available. For security reasons, the T2’s user-defined SepOS operating system is stored directly in the chip’s SEPROM. However, this also prevents the exploit from being patched by Apple via a software update.
In the meantime, users can protect themselves from the exploit by physically protecting their Macs and avoiding plugging in untrusted USB-C cables and devices.
These were the details of the news Apple’s T2 security chip is vulnerable to attacks via USB-C for this day. We hope that we have succeeded by giving you the full details and information. To follow all our news, you can subscribe to the alerts system or to one of our different systems to provide you with all that is new.
It is also worth noting that the original news has been published and is available at de24.news and the editorial team at AlKhaleej Today has confirmed it and it has been modified, and it may have been completely transferred or quoted from it and you can read and follow this news from its main source.
