Jailbreakers claim they have learned how to hack Apple T2 chips

The researchers say that by combining two exploits originally designed for hacking iPhones (Checkm8 and Blackbird), they can also hack macOS devices that are equipped with Apple’s T2 security chips.

Although the exploitation of the mentioned vulnerabilities is still difficult, in recent weeks the technique of combining two exploits has been repeatedly mentioned on Twitter and on Reddit, and as a result, has attracted the attention of information security experts who have already verified and confirmed these claims.

“This method allows users/hackers to gain full control over devices, change OS behavior, organize the extraction of confidential or encrypted data, and even install malware”, – say the researchers.

Let me remind you that Apple T2 chips were officially introduced in 2017, and since 2018 almost all Apple devices (iMac, Mac Pro, Mac mini and MacBook) have been bundled. In fact, T2 is a co-processor that by default deals with audio processing and various low-level tasks, thereby taking the load off the main processor.

Apple T2 also plays the role of security chips, the Secure Enclave Processor (SEP), which are responsible for the processing of sensitive data, including cryptographic operations, KeyChain passwords, TouchID authentication, support the operation of encrypted storage and secure device boot.

Researchers came up with a method to crack T2 and found a way to run arbitrary code on the security chip at boot time, altering its normal behavior. As mentioned above, the attack will require combining two other exploits that were originally developed to jailbreak iOS devices, namely Checkm8 and Blackbird.

This approach works thanks to the common hardware and software features found on the Apple T2 and iPhone.

According to the Belgian information security company IronPeak, hacking T2 will require connecting to a Mac or MacBook via USB-C and then launching a jailbreak tool from the Checkra1n team version 0.11.0 during device boot. As a result, the attacker will gain root access to the T2 chip and will be able to take control of literally everything running on the target device, as well as be able to recover encrypted data.

Researchers explain why this method works:

“Apple has kept the debug interface open in T2, which allows anyone to enter Device Firmware Update (DFU) mode without authentication. Using this approach, you can create a USB-C cable that will automatically exploit macOS devices at boot time”.

The dangers associated with the new hacking technique are clear. Basically, now any Mac or MacBook left unattended can be hacked by a person who simply plugs in a USB-C cable, reboots the device, and launches Checkra1n 0.11.0. This method also opens up new possibilities for law enforcement agencies, which will be able to access the Mac and MacBook of suspects and extract information that was previously encrypted.

Unfortunately, this is a hardware issue and cannot be easily fixed. In fact, the only way to mitigate such an attack is to reinstall BridgeOS, an operating system that runs on T2 chips, say IronPeak experts.

Apple has not yet commented on the experts’ findings. But let me remind you that earlier they had to pay the researcher $100,000 for “Sign in with Apple” vulnerability.

Let me remind you that ProtonMail developers say Apple is holding us all as hostages.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Donald Trump Twitter password

Information security expert picked up Donald Trump’s Twitter password

The Dutch periodical Vrij Nederland reported that the famous security specialist and head of the …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.