Apple’s T2 Security Processor Has an Unpatchable Security Flaw
Apple loves to market itself on security and does so more often than most firms. This is always a risky proposition because nothing yells “Please attack me!” more loudly than advertising the strength of one’s security implementation. In this case, security researchers have found a problem in Apple’s T2 security chip that the company will not be able to patch. As far as anyone is aware, it exists on every T2-equipped system.
Now, one thing to know up-front about this attack is that it’s going to be more of interest to state actors than common hackers. The exploit isn’t persistent, which means booting the machine in this mode requires a malicious USB-C cable or other device loaded with malicious software. Individuals using FileVault2 should be aware this security breach doesn’t grant access to your data — but one of the things an attacker could do with the machine is load a keylogger into the T2 security processor and store your passwords for later retrieval.
The security researcher who published the exploit, axi0mX, writes that the flaw allows an attacker to whitelist any kernel extension, load a keylogger directly into firmware, and potentially achieve a semi-tethered exploit, though this seems of limited value in-context unless the malicious USB-C cable could also function as the Mac’s primary power cable and somehow do its dirty work that way. This scenario is not addressed in the blog post but we can assume any laptop is being plugged in on a regular basis.
axi0mX writes: “I have sources that say more news is on the way in the upcoming weeks. I quote: be afraid, be very afraid.”
Whether that’s actually true, I guess we’ll see. According to the researcher, he approached Apple about this problem, reached out to Tim Cook personally, and attempted to raise the issue with various websites. He’s now published “almost all” of the exploit details after failing to get a response from anyone. He summarizes his own claims as follows:
- The root of trust on macOS is inherently broken
- They can bruteforce your FileVault2 volume password
- They can alter your macOS installation
- They can load arbitrary kernel extensions
- Only possible on physical access
The last point makes the previous points mostly a non-issue, but not entirely. Corporate espionage is definitely a thing, as is the targeting of specific individuals for knowledge extraction. We’ve written about a highly-specific malware attack hidden in Asus’ LiveUpdate software that was designed to target the computers of very specific people.
It is no longer the stuff of science fiction to imagine that a state actor might infiltrate the computers of specific people, who may have no idea they are targets of interest or under attack. While these attacks are still spectacularly unlikely in absolute terms, there is a group of people for whom this type of threat is very real.
axi0mX believes the reason Apple hasn’t responded to his entreaties is that they hope to release a new version of T2 that lacks this problem as part of the 5K iMac refresh. This exploit also is only relevant to x86 Macs — the new ARM-powered Macs will presumably lack this issue. For now, only Macs purchased between 2018 – 2020 have this problem. While there’s no patching it, it shouldn’t be an issue for the vast majority of Apple owners. If you’re using a 2018 – 2020 Mac and you regularly have access to materials that your company or the government would consider trade secrets or other genuinely sensitive material, it may be worth keeping an eye on this.
As for Apple’s security flaw, I’d expect events like this to renew calls for silicon companies to open up their security work so more researchers can see how the pieces fit together — and I wouldn’t expect Intel, AMD, or Apple to suddenly start opening any of their respective black boxes on this issue. Security remains a topic the wider silicon industry is more interested in keeping quiet about than transparently discussing — at least, where specific hardware implementations are concerned.