Hackers Jailbreak T2 Security Chip Used In Macs Using Unpatchable Flaw
Security researchers claim that they have successfully jailbroken the T2 security chip used in MacBooks, iMacs, Mac Pro, and Mac mini. The jailbreak was made successful by utilizing two exploits that were previously created for iPhones.
T2 security chips are co-processors included in Macs and contain a Secure Enclave Processor which protects sensitive data and parts of the operating system including passwords, Touch ID authentication data, secure boot, and even storage encryption. The chip is also used for hardware video acceleration, especially for encrypted video streams such as 4K Netflix playback. iPhone exploits, which include checkm8 and blackbird, can be used to gain full control of the Macs, modify encrypted data, or access critical functions of the operating system without any restrictions. The flaw has been tested and verified to be working by many security researchers.
The jailbreak works by connecting to a Mac via a USB-C cable and running checkra1n version 0.11.0 during the Mac's boot process. This allows the user to enter the Device Firmware Update (DFU) without authentication via the debugging interface in the T2 security chip. As per Belgian security firm ironPeak, it is possible to create a USB-C cable that can automate this process and exploit any Mac during boot.
Once hackers gain root access to the T2 chip, they can theoretically access encrypted data and even access passwords.
Of course, hackers need physical access to the Mac to gain access to it. In most scenarios, users would be safe, but this opens up space for Macs to be stolen and resold in the used market. The hack would also allow law enforcement agencies to gain access to Macs which would previously be locked out because of the T2 security chip.
At the time of writing, Apple has not acknowledged this issue publicly. It is also being considered that the flaw cannot be patched via a software update, but we will let Apple make the final call on that. For those who feel that their Mac has been tampered with, they can reinstall BridgeOS on the T2 chip on their Mac using the Apple Configurator app.