Cybersecurity researchers have claimed that there is an unpatchable flaw in Apple's T2 security chip that can be exploited by hackers to plant malware and decrypt data. The security flaw potentially affects all iMacs, MacBooks and Mac Pro that were released in 2018 or later.

As for the exploit, it's complex but can be done using just a USB-C cable. Cybersecurity researchers combined two exploits that were originally developed for jailbreaking iPhones to break into a T2 chip that if done correctly can allow a hacker full control over the Apple device.

16-inch MacBook Pro
MacBooks, MacBook Pros and iMacs with T2 chips are vulnerable to the hacking attempts using a USB-C cable Apple

T2 Chips

Apple introduced its famed T2 chip, a custom silicon, for an added layer of security and as a co-processor that could assist the main Intel CPU carrying out image and audio signal processing and hosting several controllers. However, its main purpose was to process various security features such as TouchID authentication, storage encryption, secure boot and other cryptographic operations.

That way, the T2 chip can free up CPU usage so that it can take on heavier tasks. This was also at a time when Intel processors were plagued by chip-level vulnerabilities such as Meltdown, ZombieLoad and Spectre. As T2 chips boot up before the main Intel processor, users' encrypted data remained safe.

How Does T2 Chip Hack Work?

However, if you think that Macs are safe from such hacks, you are mistaken. The recent revelation points toward an unfixable flaw in T2 design. Cybersecurity researchers combined Blackbird and Checkm8 exploits — both initially developed for iOS jailbreaking — to hack the T2 chip. The iOS jailbreaking methods work because of similar hardware and software features with iPhones.

T2 Chip
Apple added ARM-based T2 chips for added security layer in MacBooks Apple

All you need is a USB-C cable and Checkra1n jailbreaking software's 0.11.0 version during Mac's boot-up process. Checkra1n's Checkm8 exploit was developed to bypass activation lock on iOS or macOS. The other method helps in avoiding the T2 chip's detection of decryption calls.

As the T2 chip serves as a security chip or Secure Enclave Processor (SEP), when the Checkm8 exploit is run, it would exit with a fatal error if it is in Device Firmware Update (DFU) mode without authentication. But the run of second exploit or Blackbird helps bypass that problem and allows an attacker to take over the system, as per Belgian cybersecurity company ironPeak.

T2 Chip Vulnerability

The combined method works because Apple left the "debugging interface open in the T2 security chip shipping to customers," meaning that it would allow anyone to enter the DFU mode without any authentication as per ironPeak researchers. They added that it would be possible to create a debugging USB-C cable that could automatically exploit the vulnerability.

"An example of cable that can be used to perform low-level CPU & T2 debugging is the JTAG/SWD debug cable found on the internet. Using the debug cable requires demotion however to switch it from a production state, which is possible via the checkm8 exploit," the researchers added.

Malicious cable
JTAG/SWD debug cable can hack the MacBooks and iMacs that were released with T2 chips Twitter

However, the vulnerability is something Apple cannot fix with a patch as the T2 chips read-only memory (ROM) stores the SepOS that protects devices from tampering. But being a ROM, it also prevents any revision. It would require a hardware revision, meaning it can be fixed only with a new Mac device.

Should You Worry?

The short answer is yes. Since the exploits are all over the internet and have been discussed in great detail by the security researchers, actors with malicious intent can take advantage of the vulnerabilities. Any MacBooks from 2018 can be hacked using the method and would also allow law and enforcement to retrieve data that Apple has been refusing so far.

The only way to deal with the vulnerability is to reinstall BridgeOS that runs on T2 chips, once a device is hacked, reported ZDNet. "If you are a potential target of state actors, verify your SMC payload integrity using rickmark/ smcutil and don't leave your device unsupervised," said ironPeak.