The ad-hoc team, who call themselves Team t8012 after Apple’s internal name for the chip, believe that nation-states may already be using this approach.
We recently reported that it could be done.
Speculation that the T2 security chip on modern Macs can be hacked has been confirmed by the team behind the research. A combination of two different exploits would give a hacker the ability to modify the behavior of the chip, and even plant malware like a keylogger inside it.
All Macs sold since 2018 contain the T2 chip, and because the attack uses code in the read-only memory section of the chip, there is no way for Apple to patch it.
The attack involves using two exploits used to jailbreak iPhones. The reason they can also be used on Macs is because the T2 security chip is based on the A10 chip used in older iPhones.
The team has now provided a practical demonstration. A video shows them plugging a USB-C cable into a Mac, and checkra1n being run. The target machine goes to a black screen while the connected computer confirms that it was successfully executed. Note that the connected computer is only verifying the success of the operation — the attack is performed using nothing more than a chip in the cable.
A second video proves that it succeeded by modifying the Apple logo seen during startup.
The T2 exploit team is also working on demonstrating the installation of a keylogger.
Team t8012’s Rick Mark told me that his motivation to participate in the T2 research was because he was convinced it was possible and might already be in use. While the need for physical access to the Mac means it can only be used for very targeted attacks, he suspects that nation-states are using it, and potentially organized crime too.
Mark says there’s nothing Apple can do to prevent the exploit in existing T2 Macs, but the company could provide a tool to verify the integrity of the machine against checkm8 and flag a failure.
I suggested that Apple could fix the issue in future chips with some kind of encrypted comms that only enables DFU for devices with the right codes, and he confirmed that this would work “but I think that’s again putting a lot of trust in them to do it right … without having any data that it would do so.”
For example, Mark said, Apple has released six new Mac models since the checkm8 exploit became public, by which point Apple should have known the T2 chip was vulnerable.
One of the interesting things to emerge from their research is the way the Mac assigns functionality to its USB-C ports.
One of the interesting questions is how does the Macs share a USB port with both the Intel CPU (macOS) and the T2 (bridgeOS) for DFU. These are essentially separate computers inside of the case sharing the same pins. Schematics of the MacBook leaked from Apple’s vendors (a quick search with a part number and “schematic”), and analysis of the USB-C firmware update payload show that there is a component on each port which is tasked with both multiplexing (allowing the port to be shared) as well as terminating USB power delivery (USB-PD) for the charging of the MacBook or connected devices. Further analysis shows that this port is shared between the following:
- The Thunderbolt controller which allows the port to be used by macOS as Thunderbolt, USB3 or DisplayPort
- The T2 USB host for DFU recovery
- Various UART serial lines
- The debug pins of the T2
- The debug pins of the Intel CPU for debugging EFI and the kernel of macOS
Like the above documentation related to the iPhone, the debug lanes of a Mac are only available if enabled via the T2. Prior to the checkm8 bug this required a specially signed payload from Apple, meaning that Apple has a skeleton key to debug any device including production machines. Thanks to checkm8, any T2 can be demoted, and the debug functionality can be enabled.
You can read the blog post here. We’ve reached out to Apple for comment and will update with any response.
FTC: We use income earning auto affiliate links. More.