Published in PC Hardware

Apple’s T2 security chip has an unfixable bug

by on13 October 2020

Shedloads of threats

While Apple’s T2 security chip appears mostly to help Jobs’ Mob control its Walled Garden of delights, it apparently is not very good at security.

A recently released tool is letting anyone use a bug in the chip to bypass it and gain system access.The flaw is one that researchers have been using for more than a year to jailbreak older models of iPhones, but the fact the T2 chip is vulnerable in the same way creates a new host of potential threats.

And what is bad for Apple is that the flaw is ultimately unfixable in every Mac that has a T2 under the bonnet. The flaw is in low-level, unchangeable code for hardware.

Apple added the T2  as a trusted mechanism for securing high-value features like encrypted data storage, Touch ID, and Activation Lock, which works with Apple's "Find My" services.

The T2 is meant to be this little secure black box in Macs -- a computer inside your computer, handling things like Lost Mode enforcement, integrity checking, and other privileged duties.

Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS said that the significance is that this chip was supposed to be harder to compromise -- but now it's been done.

The vulnerability, known as Checkm8, has been exploited in Apple's A5 through A11 (2011 to 2017) mobile chipsets. Now Checkra1n, the same group that developed the tool for iOS, has released support for T2 bypass.

On Macs, the jailbreak allows researchers to probe the T2 chip and explore its security features. It can even be used to commit Apple heresy such as putting Linux on the T2 or play Doom on a MacBook Pro's Touch Bar.

The jailbreak can disable macOS security features like System Integrity Protection and Secure Boot and install malware. Combined with another T2 vulnerability that was publicly disclosed in July by the Chinese security research and jailbreaking group Pangu Team, the jailbreak could also potentially be used to obtain FileVault encryption keys and to decrypt user data.

Last modified on 13 October 2020
Rate this item
(2 votes)

Read more about: