A cybersecurity researcher has declared that Macs using Intel processors and T2 chips are vulnerable to an unpatchable security flaw that may provide attackers with root access.
Niels Hofmans, an independent cybersecurity researcher, said in a blog post that since the T2 chip is based on the Apple A10 processor, it is vulnerable to the checkm8 exploit. This could allow attackers to circumvent Activation Lock and carry out other malicious attacks.
Hackers could use the exploit to hijack the startup process of T2’s SepOS operating system to gain access to the hardware. They can also take advantage of the vulnerability to cooperate with another exploit developed by Pangu to circumvent the DFU Export Security mechanism.
Once an attacker gains access to the T2 chip, they will have the full root access and kernel execution privileges. Although they cannot decrypt files protected by FileVault encryption, the T2 chip manages keyboard access, so they can inject keyloggers and steal passwords.
The exploit may also bypass the remote device locking function that’s used by services like MDM and FindMy, which means that one can bypass the functionality of locking an Apple device remotely. A firmware password does not alleviate the issue because it requires keyboard access.
For security reasons, SepOS is stored in the read-only memory of the T2 chip, but this also prevents Apple from patching the flaw through software updates. On the bright side, it also means that the exploit is not persistent, so it requires hardware plug-in or other connected components, such as a malicious USB-C cable to work.
Hofmans stated that he has contacted Apple about this vulnerability, but is still waiting for a response. Meanwhile, everyday users can protect themselves by avoiding the insertion of untrusted USB-C cables and devices.