Hackers claim they can jailbreak Macs, MacBooks with Apple's T2 security chip
This jailbreaking involves combining two exploits - the Checkm8 exploit from last year and the Blackbird vulnerability unveiled this August. And it's both dangerous and unpatchable.
Security researchers have claimed that by combining two exploits that were initially developed to jailbreak iPhones, they can also jailbreak Macs and MacBooks that come with Apple's latest T2 security chips.
The process is admittedly complex, but the technique of combining the two exploits has been mentioned on Twitter and Reddit over the past few weeks, reports ZDNet. And it has also been tested and confirmed by several of Apple's top security and jailbreaking experts.
checkm8 + blackbird and the T2 SEP is all yours...— Siguza (@s1guza) September 5, 2020
If the exploits are used right, the jailbreaking technique in question will allow users and hackers to gain full control over devices to modify core OS behaviour or retrieve sensitive information, encrypted data and even plant malware.
What are Apple's T2 chips?
Apple's T2 chip is a special co-processor that is installed along with the main Intel CPU on the Apple iMac, Mac Pro, Mac Mini and MacBooks - basically, all of Apple's modern computers.
The T2 ships were introduced in 2017 and have been a part of all Apple devices sold since 2018. The T2's role is to function as a separate CPU and by default they handle audio processing and various low-level I/O functions to help take some load off the main CPU.
These chips also serve as security chips (Secure Enclave Processor or SEP) that process sensitive data like cryptographic operations, KeyChain passwords, TouchID authentication along with the device's encrypted storage and secure boot capabilities. They essentially play a significant role in every Apple desktop device.
How does this jailbreak work?
According to ZDNet, security researchers have figured out a way to break T2s and have found a way to run code inside the security chip during its boot-up routine and alter its normal behaviour.
This breaking in involves combining two other exploits that were initially designed to jailbreak iOS devices - Checkm8 and Blackbird. The hack works because some of the shared hardware and software features between T2 chips and iPhones and their underlying hardware.
As per a post from Belgian security firm ironPeak, jailbreaking a T2 chip involves connecting to a Mac or a MacBook using an USB-C and running version 0.11.0 of the Checkra1n jailbreaking software during the Mac's boot-up process.
With @checkra1n 0.11.0, you can now jailbreak the T2 chip in your Mac. An incredible amount of work went into this and it required changes at multiple levels.— Jamie Bishop (@jamiebishop123) September 22, 2020
There's too many people to tag, but shoutout to everyone who worked on getting this incredible feature shipped.
According to ironPeak, this works because “Apple left a debugging interface open in the T2 security chip shipping to customers, allowing anyone to enter Device Firmware Update (DFU) mode without authentication”.
"Using this method, it is possible to create an USB-C cable that can automatically exploit your macOS device on boot," ironPeak explained in its post.
Once you run this software, attackers/users can get root access on the T2 chip and modify, take control of any process running on the device. They can even recover encrypted data.
The dangers of running this process is rather obvious. Any Mac or MacBook left unattended can be hacked by pretty much anyone who can connect a USB-C cable, reboot the device and then run Checkra1n 0.11.0 on it. And it can pretty much happen anywhere.
Alternately, this new method of jailbreaking also opens newer avenues for law enforcement investigation tools that could allow investigators to access suspects' Apple laptops and computers to retrieve information, even encrypted ones.
Sorry, this jailbreak is unpatchable
Since this whole jailbreak is hardware-related, all T2 chips are considered to be unpatchable. The only way to deal with the aftermath of this is to reinstall BridgeOS, the operating system that runs in T2 chips.
"If you suspect your system to be tampered with, use Apple Configurator to reinstall bridgeOS on your T2 chip described here. If you are a potential target of state actors, verify your SMC payload integrity using .e.g. rickmark/smcutil and don't leave your device unsupervised," ironPeak said in its post.