The majority of Mac models released since 2018 to date have contained a T2 security chip.
Apple makes a number of security claims about this chip, stating that “the T2 chip enables a new level of security by including a secure enclave coprocessor that secures Touch ID data and provides the foundation for new encrypted storage and secure boot capabilities.”
Little did Apple know that the T2 chip also contains flaws that inadvertently make Macs less secure and more susceptible to serious local attacks. Apple cannot fix these flaws via a firmware update, so affected Macs are unpatchable and will remain vulnerable.
How T2 makes Macs insecure
Belgian cybersecurity consulting firm ironPeak, which wrote a detailed overview of the problem, summarizes several of the ways an attacker could leverage the T2’s design flaws:
TL;DR: recent Macs (2018-2020, T2 chip) are no longer safe to use if left alone and physical access was possible, even if you had them powered down.
• The root of trust on macOS is inherently broken
• [An attacker] can bruteforce your FileVault2 volume password
• [An attacker] can alter your macOS installation [i.e. install malware]
• [An attacker] can load arbitrary kernel extensions
The technical stuff
A team of security researchers discovered that it’s possible to borrow exploits used for iPhone jailbreaking to attack the T2 chip. This is possible in part because the T2 is based on the A10 chip in the iPhone 7 and 7 Plus, two iPad models (6th and 7th generation), and the current iPod touch (7th gen).
By leveraging the checkm8 exploit and blackbird vulnerability, a local attacker can gain full root access and kernel execution privileges on any Mac with a T2 chip.
Since the flaw resides in read-only memory (ROM), Apple cannot simply release a firmware patch to protect affected Macs. According to researchers, Apple would need to physically replace hardware to fix the issue.
Thankfully, FileVault 2 full disk encryption isn’t completely broken; an attacker still needs your password to access a FileVault-encrypted disk. However, an attacker could obtain that password by injecting a keystroke logger into the T2 firmware.
It’s also noteworthy that the flaw does require an attacker to have physical access to a Mac.
How to protect your Mac from T2’s vulnerabilities
As scary as they may seem, most Mac users probably don’t need to worry too much about the T2 flaws.
If you’re a politician, activist, journalist, government employee, someone with access to highly sensitive information or trade secrets, or if you travel internationally to certain countries, you’re more likely to be targeted by a sophisticated threat actor. Most other Mac users probably shouldn’t lose sleep over T2 exploits.
However, if you’re concerned about such attacks, there are a few things you can do to help protect your Mac from exploitation.
- Don’t let your Mac out of your sight. This includes at security checkpoints such as airport security or border crossings, especially when visiting a foreign country. If you need to travel internationally, consider bringing along a burner phone with a VPN, and leave your usual iPhone, iPad, or MacBook at home with someone you trust.
- Don’t let your Thunderbolt, USB-C, or laptop power cables out of your sight. An attacker could swap out your cables for maliciously modified versions that are indistinguishable from Apple’s genuine cables. Researchers have demonstrated that T2 attacks and other attacks are achievable with a modified cable; a similar attack is demonstrated in the video below.
- Buy a new Mac once Apple fixes these flaws.
Introducing the OMG Keylogger Cable!
Follow along for early access. It took us over a year to create, and we are happy to announce it during @defcon once again.
— _MG_ (@_MG_) August 7, 2020
How can I learn more?
For many more technical details about the T2 flaws, you can refer to ironPeak’s write-up: Crouching T2, Hidden Danger.
We discussed the T2 flaws on episode 158 of the Intego Mac Podcast. Be sure to subscribe to make sure you don’t miss any episodes. You’ll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news.