Intel Macs that include one of Apple’s T2 Security Chips can be hacked, allowing an exploit that could allow a hacker to plant malware, circumvent disk encryption and firmware passwords, and more, says a cybersecurity researcher.
Apple’s custom-silicon T2 co-processor is included in newer Macs, handling secure boot capabilities as well as handling encrypted storage, among other controller features.
Hofmans says the vulnerability can hijack the boot process of the T2’s SepOS operating system, allowing bad guys to gain access to the hardware. While the T2 chip would normally exit with a fatal error if it is in Device Firmware Update (DFU) mode and it detects a decryption call. However, by using another vulnerability exploited by Team Pangu, Hofmans says it is possible for a hacker to circumvent this check and gain access to the T2 chip.
Once a bad actor has access to the T2 chip, they have full root access and kernel execution privileges. However, they can’t directly decrypt files stored using FileVault 2 encryption. But, since the T2 manages keyboard access, the bad guy could inject a keylogger, allowing them to steal the decryption password.
Hofmans says the exploit can also bypass the remote device locking function (Activation Lock) used by services like FindMy.
Since SepOS is stored in the T2 chip’s read-only memory (ROM), Apple is unable to patch the exploit with a software update. The good news is that it also means the vulnerability isn’t persistent and requires a “hardware insert or other attached component such as a malicious USB-C cable” to work.
Hofmans says he has contacted Apple about the exploit but has not received a response.
Users can keep themselves safe by physically securing their machines and not plugging in untrusted USB-C cables and devices.
Once Apple’s new Apple Silicon Macs are released to the public, those systems may not be affected, as Apple Silicon Macs use a different boot system. However, that has not yet been confirmed.