[ad_1]
A recently released The tool allows anyone to exploit an unusual Mac vulnerability to bypass Apple’s trusted T2 security chip and gain deep access to the system. The flaw is one that researchers have also been using for more than a year to jailbreak older models of iPhones. But the fact that the T2 chip is vulnerable in the same way creates a whole new set of potential threats. Worst of all, while Apple can curb potential hackers, the flaw is ultimately irreparable on all Macs that have a T2 inside them.
In general, the jailbreak community hasn’t paid as much attention to macOS and OS X as to iOS, because they don’t have the same restrictions and walled gardens that are built into Apple’s mobile ecosystem. But the T2 chip, released in 2017, created some limitations and mysteries. Apple added the chip as a reliable mechanism to secure high-value features such as encrypted data storage, Touch ID and Activation Lock, which works with Apple’s “Find My” services. But T2 also contains a vulnerability, known as Checkm8, that jailbreakers have already been exploiting in Apple’s mobile chipsets from A5 to A11 (2011 to 2017). Now Checkra1n, the same group that developed the tool for iOS, has released support for the T2 bypass.
On the Mac, the jailbreak allows researchers to test the T2 chip and explore its security features. It can even be used to run linux on T2, or play Doom on a MacBook Pro’s Touch Bar. However, the jailbreak could also be used by malicious hackers to disable macOS security features like System Integrity Protection and Secure Boot and install malware. Combined with another T2 vulnerability that was publicly disclosed in July by Chinese jailbreak and security research group Pangu Team, the jailbreak could also be used to obtain FileVault encryption keys and decrypt user data. The vulnerability cannot be patched, because the flaw is in the unalterable, low-level hardware code.
“The T2 is meant to be this safe little black box on the Mac – a computer inside your computer, handling things like applying lost mode, integrity checking, and other privileged tasks,” says Will Strafach, an iOS researcher. Longtime creator of The Guardian Firewall app for iOS. “So the important thing is that this chip was supposed to be harder to compromise, but now it’s done.”
Apple did not respond to WIRED’s requests for comment.
However, there are some major limitations of the jailbreak that prevent this from being a full-blown security crisis. The first is that an attacker would need physical access to the target devices in order to exploit them. The tool can only be run from another device via USB. This means that hackers cannot remotely mass-infect all Macs that have a T2 chip. An attacker could jailbreak a target device and then disappear, but the compromise is not “persistent”; it ends when the T2 chip is reset. However, the Checkra1n researchers caution that the T2 chip itself does not reboot every time the device does. To be sure that a Mac has not been compromised by jailbreak, the T2 chip must be fully restored to Apple defaults. Finally, the jailbreak does not give the attacker instant access to a target’s encrypted data. It could allow hackers to install keyloggers or other malware that could then take the decryption keys or it could facilitate brute force use, but Checkra1n is not a silver bullet.
“There are many other vulnerabilities, including remote ones that certainly have a greater security impact,” said a member of the Checkra1n team. tweeted on Tuesday.
In a discussion with WIRED, the Checkra1n researchers added that they see the jailbreak as a necessary tool for transparency about T2. “It is a unique chip and has differences from iPhones, so having open access is helpful to understand it at a deeper level,” said a member of the group. “It used to be a complete black box and now we can analyze it and find out how it works for security research.”
[ad_2]
