A security researcher states that Apple T2 chips contain an unpatchable vulnerability making it possible for hackers to bypass Mac’s disc encryption, firmware, passwords and so on.
“The mini operating system on the T2 (SepOS) suffers from a security vulnerable also found in the iPhone X since it contains a processor based on the iOS A10 processor. Exploitation of this type of processor is very actively discussed in the /r/jailbreak subreddit.
So using the checkm8 exploit originally made for iPhones, the checkra1n exploit was developed to build a semi-tethered exploit for the T2 security chip, exploiting a flaw. This could be used to e.g. circumvent activation lock, allowing stolen iPhones or macOS devices to be reset and sold on the black market.
Normally the T2 chip will exit with a fatal error if it is in DFU mode and it detects a decryption call, but thanks to the blackbird vulnerability by team Pangu, we can completely circumvent that check in the SEP and do whatever we please.
According to Hofmans, this vulnerability can’t be patched. At the same time, he says it’s not a “persistent vulnerability”. This Hofmans claim means that a hacker would need a hardware insert, or a kind of “other attached component” like a malevolent USB-C cable, to take advantage of this vulnerability.
Once you have access on the T2, you have full root access and kernel execution privileges since the kernel is rewritten before execution. Good news is that if you are using FileVault2 as disk encryption, they do not have access to your data on disk immediately. They can however inject a keylogger in the T2 firmware since it manages keyboard access, storing your password for retrieval or transmitting it in the case of a malicious hardware attachment.
This report also contains information saying that Find My Mac feature for remote Apple Devices locking can be bypassed if you lost your Mac or it was stolen.
The blog also says that this vulnerability was reported to Apple more than once, but they did not respond. It looks like Apple isn’t going to release a public statement. Instead, the chances are, they will just develop a new patched T2 chip for the next Macs. According to the report, the bottom line is that "macOS devices are no longer safe to use if left alone, even if you have them powered down." Checkra1n jailbreak and checkm8 exploit are the tools used to brute-force a FileVault2 volume password, adjust your macOS installation, and load arbitrary kernel extensions. Once again, the report emphasizes that the physical access is the only way to accomplish that.
Other security expert Will Strafach has responded to this post via Twitter to calm things down about this issue:
Strafach agreed with ironPeak’s statement that Apple was supposed to respond to this issue somehow. This is what he said:
“Apple should have really said something by now. I think it is causing more confusion by not directly addressing the matter.”
The CheckM8 Dev Team has developed a software for bypassing Activation, EFI firmware, System PIM and MDM Lock on Mac device with Apple T2 Security Chip.
Checkm8 is a reliable tool for remote iCloud Activation Lock Screen removal on iPhone & iPad running on iOS 12.4 up to iOS 14.3
Checkm8 is ready to remove a passcode and unlock Disabled iPhone & iPad running on iOS 13 up to iOS 13.7
Easily Bypass Mac Activation Lock Screen on your computer even if you forgot the correct Apple ID and password.
The CheckM8 tool provides a quick solution to remove Mac EFI security firmware (BIOS) password protection
Use CheckM8 Software to remove iCloud System Pin passcode Lock on Mac T2 device just in 1 click!
Unlock MacBook without MDM key distantly using CheckM8 Mac MDM bypass software.
FixM8 Utility designed for reset iPhone or iPad without Apple ID (iCloud) password, updating iOS and iTunes to factory settings.
Software was designed to Bypass MDM (Mobile Device Management) Configuration Profile on any iPhone & iPad running up to iOS 14.3