Apple T2 security chip might have an unpatchable security flaw

By Ewdison Then/Oct. 5, 2020 11:27 pm EST

The use of a dedicated security chip in computers is hardly new and has become the standard practice to lessen the risk of software-based hacking. Unfortunately, the same finality that gives these chips their security often makes it almost impossible to fix hardware-based vulnerabilities. Just like with the first-gen Nintendo Switch, Apple's own touted T2 security silicon might be vulnerable to an exploit that can't be fixed through a software update. Fortunately, the situation might be less dire than it sounds, depending on your situation.

The Apple T2 chip performs many tasks designed to take the burden and the security risk away from the main Intel CPUs. Those include not just encryption or firmware integrity checks but even audio processing and I/O handling, the latter for monitoring the keyboard. This T2 chip will also be the requirement for Netflix 4K streaming on macOS Big Sur due to its ability to meet Netflix's DRM requirements.

Unfortunately, the T2 chip is based on Apple's A10 processor used for the likes of the iPhone X and is apparently susceptible to the same jailbreaking exploit checkm8. This vulnerability can hijack the boot process of the T2's SepOS mini operating system to try to gain access to the hardware. Thanks to another vulnerability, the chip's defenses against trying to perform decryption processes during a Device Firmware Update (DFU) can be bypassed, leaving it open for hackers to do what they want.

Once they do get access, they can do almost everything except directly decrypt files stored using FileVault 2 encryption. They can, however, inject a keylogger to get your password to decrypt those files, among other things.

According to cybersecurity consultant Niels H., what makes the vulnerability worse is that SepOS is stored in the T2 chip's read-only memory (ROM) which protects it from tampering but also prevents it from being patched with a security fix. The slightly good news is that it requires a special cable and physical access to Macs to make this work. Apple has not yet responded to the researcher's disclosure. Until a fix becomes available, it will be best for owners of affected Macs and MacBooks to physically secure their computers at all times.