Security Bits Logo no alpha channel

Security Bits — 10 October 2020

Feedback & Followups

Deep Dive — T2 Jailbreak Update – The Other Shoe Drops

Last week we talked about the fact that the T2 chip could be jailbroken, and that it had been added to the checkra1n jailbreak, but that there did not seem to be any security implications. It seemed all you could do was customise the Touchbar.

A lot can change in a week!

Armed with the jailbreak we learned about last week security researchers went to work to see what they could do — the answer is, a lot 🙁

Attackers can use the un-patchable flaws in the T2 chip to:

  1. Bypass activation lock, allowing a stolen Mac to be re-used after all
  2. Bypass firmware passwords
  3. Indirectly bypass full disk encryption by adding a keylogger to the EFI firmware and waiting for the owner to log in at least once (perfect for an evil maid attack, but no use for trying to break into a stolen or ceased computer)
  4. Bypass secure boot, allowing Macs to boot un-signed OSes, including booby-trapped versions of macOS
  5. Execute malicious code during the boot process, potentially injecting malware into an otherwise clean OS as the OS boots

I should also note that there is some speculation that perhaps the vulnerability could be used to speed up brute-force attacks on FileVault full disk encryption. That has yet to be proven, and a strong password would seem to provide a good defence against that potential attack.

As bad as all that sounds, the sky is not falling, and the risk to regular folks is quite low. Why? Because to exploit this flaw, attackers need physical access to your computer, and the Secure Enclave has not been compromised.

Another important subtlety to note is that the jailbreak is not permanent. Like Checkra1in on iOS devices does not survive a reboot, Checkra1n on T2 chips also doesn’t survive a reboot. The problem is that the T2 chip rarely reboots itself. It actually remains powered on even when the Mac it’s installed in is powered off. According to security researchers, the only way to be absolutely certain any exploit of a T2 chip has been completely removed is to follow these instructions from Apple to completely re-install all the Mac’s firmwares.

Oh, and in case you’re wondering, the older T1 is not affected by this bug.

This means that when it comes to activation lock, secure boot, keyloggers, boobytrapped OSes, etc., a T2 Mac is now as ‘insecure’ as every Mac before the invention of the T2 chip was, and as every Mac without a T2 chip is. The T2 chip brought added security to Macs, above and beyond what we had already, and above and beyond what non-T2-Macs have today. Some of that additional protection has now fallen away, but not all of it. The addition of a secure enclave to Macs with T2 chips still adds some additional security over non-T2-Macs — most notably, TouchID, and the secure storage of private keys for things like encryption.

The flaws being exploited here are literally burned into the current T2 chip. A key part of its security is that it cannot be altered, but, the price we pay for that protection against tampering is that there is no way to fix bugs!

Apple can manufacture new T2 chips with fixed firmware burned into them, but they can’t fix any of the millions of existing T2 chips out there. There has been no word from Apple about what they’ll do, but I expect they’ll soon release updated T2s, or perhaps even new T3 chips with additional features.

The bottom line — unless you’re a high-value target this is only really likely to impact you should your Mac get stolen, in that situation attackers can’t steal your data, but they can disable activation lock and profit from selling your computer. If you are a high-value target, don’t ever let your Mac out of your physical control, and replace your Mac as soon as Apple release updated models with patched T2s or replacement T3s.

Links

Notable News

Top Tips

Excellent Explainers

Interesting Insights

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published.

Scroll to top