By Dan Moren

October 6, 2020 9:18 AM PT

The Mac’s T2 chip is vulnerable…but how vulnerable?

Note: This story has not been updated since 2020.

A report this morning from security firm ironPeak alleges that the Apple-made T2 chip found in most recent Macs may have an unpatchable flaw, leaving it vulnerable to arbitrary code execution. The exploit used to take advantage of the flaw is checkm8, a piece of code originally used to jailbreak iPhones, with which the T2 chip shares some underlying commonalities:

The mini operating system on the T2 (SepOS) suffers from a security vulnerable also found in the iPhone 7 since it contains a processor based on the iOS A10. Exploitation of this type of processor for the sake of installing homebrew software is very actively discussed in the /r/jailbreak subreddit.

So using the checkm8 exploit originally made for iPhones, the checkra1n exploit was developed to build a semi-tethered exploit for the T2 security chip, exploiting a flaw. This could be used to e.g. circumvent activation lock, allowing stolen iPhones or macOS devices to be reset and sold on the black market.

Okay, this certainly sounds bad. However, some in the infosec community have pushed back on the actual implications here, notably researcher Will Strafach (aka chronic).

Strafach says that the T2 is indeed vulnerable to checkm8, and has been for some time, meaning that those with physical access to your computer can essentially reboot it into the device firmware upgrade (DFU) mode, and then execute arbitrary code.

However, Strafach also points out that what’s less clear is whether the arbitrary code will will last through a reboot:

what is not proven: any sort of useful persistence. property lists on the Data partition could be modified, which is not great, but there is no evidence yet that one can persist unauthorized code through a full and proper reboot.

— Will Strafach (@chronic) October 6, 2020

Which is not to say that there aren’t serious issues here, but more that the risk to the average user remains low. Even ironPeak itself points out that the full-disk encryption afforded by FileVault 2 would prevent giving an intruder immediate access to your data.

As is often the case, the biggest risk presented by this vulnerability is to high-level hacks—i.e. those used by intelligence agencies to target specific personnel within governments or other organizations; the average user is unlikely to encounter such a scenario. But the flaw does remain, and the read-only nature of the T2 chip means that this isn’t something Apple can fix with a software update. (However a new chip—say, a T3—might very well contain changes to correct for this flaw.)

Apple has, so far, remained quiet about the flaw. The researchers at ironPeak claim they reached out to Apple for clarification and received no response and thus decided to go public with the information they did have.

I’ve reached out to Apple for comment, but have not yet heard back.

[Dan Moren is the East Coast Bureau Chief of Six Colors. You can find him on Mastodon at @dmoren@zeppelin.flights or reach him by email at dan@sixcolors.com. His latest novel, the supernatural detective story All Souls Lost, is out now.]

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.