A security researcher states that Apple T2 chips contain an unpatchable vulnerability making it possible for hackers to bypass Mac’s disc encryption, firmware, passwords and so on.
“The mini operating system on the T2 (SepOS) suffers from a security vulnerable also found in the iPhone X since it contains a processor based on the iOS A10 processor. Exploitation of this type of processor is very actively discussed in the /r/jailbreak subreddit.
So using the checkm8 exploit originally made for iPhones, the checkra1n exploit was developed to build a semi-tethered exploit for the T2 security chip, exploiting a flaw. This could be used to e.g. circumvent activation lock, allowing stolen iPhones or macOS devices to be reset and sold on the black market.
Normally the T2 chip will exit with a fatal error if it is in DFU mode and it detects a decryption call, but thanks to the blackbird vulnerability by team Pangu, we can completely circumvent that check in the SEP and do whatever we please.
According to Hofmans, this vulnerability can’t be patched. At the same time, he says it’s not a “persistent vulnerability”. This Hofmans claim means that a hacker would need a hardware insert, or a kind of “other attached component” like a malevolent USB-C cable, to take advantage of this vulnerability.
Once you have access on the T2, you have full root access and kernel execution privileges since the kernel is rewritten before execution. Good news is that if you are using FileVault2 as disk encryption, they do not have access to your data on disk immediately. They can however inject a keylogger in the T2 firmware since it manages keyboard access, storing your password for retrieval or transmitting it in the case of a malicious hardware attachment.
This report also contains information saying that Find My Mac feature for remote Apple Devices locking can be bypassed if you lost your Mac or it was stolen.
The blog also says that this vulnerability was reported to Apple more than once, but they did not respond. It looks like Apple isn’t going to release a public statement. Instead, the chances are, they will just develop a new patched T2 chip for the next Macs. According to the report, the bottom line is that "macOS devices are no longer safe to use if left alone, even if you have them powered down." Checkra1n jailbreak and checkm8 exploit are the tools used to brute-force a FileVault2 volume password, adjust your macOS installation, and load arbitrary kernel extensions. Once again, the report emphasizes that the physical access is the only way to accomplish that.
Other security expert Will Strafach has responded to this post via Twitter to calm things down about this issue:
Strafach agreed with ironPeak’s statement that Apple was supposed to respond to this issue somehow. This is what he said:
“Apple should have really said something by now. I think it is causing more confusion by not directly addressing the matter.”
The CheckM8 Dev Team has developed a software for bypassing Activation, EFI firmware, System PIM and MDM Lock on Mac device with Apple T2 Security Chip.
We value our customers and offer beneficial partnerships to wholesale and small businesses. We are happy to work with repair shops, workshops, GSM repair, etc. We offer flexible pricing on our services and software to our partners. At the moment, we are supporting some of the most popular GSM-services, including GMS Fusion and DHRU. We develop client's systems and connect reseller websites to our services through API connections or online.