Apple’s T2 security chip has an unfixable flaw

[OneMoreThing...]

Enlarge / The 2014 Mac mini is pictured here alongside the 2012 Mac mini. They looked the same, but the insides were different in some key—and disappointing—ways. (credit: Andrew Cunningham)

A recently released tool is letting anyone exploit an unusual Mac vulnerability to bypass Apple's trusted T2 security chip and gain deep system access. The flaw is one researchers have also been using for more than a year to jailbreak older models of iPhones. But the fact that the T2 chip is vulnerable in the same way creates a new host of potential threats. Worst of all, while Apple may be able to slow down potential hackers, the flaw is ultimately unfixable in every Mac that has a T2 inside.

In general, the jailbreak community hasn't paid as much attention to macOS and OS X as it has iOS, because they don't have the same restrictions and walled gardens that are built into Apple's mobile ecosystem. But the T2 chip, launched in 2017, created some limitations and mysteries. Apple added the chip as a trusted mechanism for securing high-value features like encrypted data storage, Touch ID, and Activation Lock, which works with Apple's "Find My" services. But the T2 also contains a vulnerability, known as Checkm8, that jailbreakers have already been exploiting in Apple's A5 through A11 (2011 to 2017) mobile chipsets. Now Checkra1n, the same group that developed the tool for iOS, has released support for T2 bypass.

On Macs, the jailbreak allows researchers to probe the T2 chip and explore its security features. It can even be used to run Linux on the T2 or play Doom on a MacBook Pro's Touch Bar. The jailbreak could also be weaponized by malicious hackers, though, to disable macOS security features like System Integrity Protection and Secure Boot and install malware. Combined with another T2 vulnerability that was publicly disclosed in July by the Chinese security research and jailbreaking group Pangu Team, the jailbreak could also potentially be used to obtain FileVault encryption keys and to decrypt user data. The vulnerability is unpatchable, because the flaw is in low-level, unchangeable code for hardware.

Read 13 remaining paragraphs | Comments

Click here to view the article...

 

[chscag]

Some scary stuff here. The T2 chip was supposed to make your Mac more secure. Instead it has turned out to be a big headache in more ways than one.

Above is another.

 

[pm-r]

Some scary stuff here. The T2 chip was supposed to make your Mac more secure.

Yup... and you include two very important and critical words Charlie, "supposed to". It seems as though they tried to take a few too many shortcuts and didn't think some things through that it is supposed to help with very carefully.



- Patrick
=======

 

[Cr00zng]

The T2 chip cannot be exploited remotely by the Checkra1n. In all fairness, is there any device in which physical access to it does not create a vulnerability?

Yes, the purpose of the T2 chip is to protect against physical access based vulnerabilities and it fails do that to a certain point. But even the Wired article admits, quote:

Finally, the jailbreak doesn't give an attacker instant access to a target's encrypted data. It could allow hackers to install keyloggers or other malware that could later grab the decryption keys, or it could make it easier to brute-force them, but Checkra1n isn't a silver bullet.

In another word, this vulnerability alone does not allow access to the encrypted data. It could allow installation of malware for capturing password and/or encryption keys for accessing the data. Good luck with brute-forcing 256-bit AES encryption keys.

There are easier methods, especially for state actors, to access encrypted data, from xkcd.com: