Apple T2 Chip Flaw Allows Root Access
MacOS operating systems with T2 security chips could give hackers root access. The flaw exists in the T2 chip, which is the second-generation version that provides increased security. T2 secures its Touch ID as well as providing the foundation for encrypted storage and secure boot capabilities. Macs sold between 2018 and 2020 have the embedded T2 chip and are vulnerable.
Hackers would need physical access to the device to launch an attack. If they are able to steal a victim's device, hackers could then exploit the issue in order to gain root access. That includes brute-forcing FireVault2 volume passwords, altering the macOS installation and loading arbitrary kernel extensions.
The issue affecting the T2 chip stems a combination of two existing problems. First of all, the T2 chip is based on the A10 processor, meaning it is open to a previously disclosed, un-patchable bug affecting millions of iPhones that gives attackers system-level access. This flaw can be exploited via a jailbreak hack called the checkm8 exploit.
Checkm8 leverages what is called a bootROM vulnerability. BootROM refers to read-only memory (ROM) that holds startup instructions for iPhones. Because the memory is read-only, the exploited vulnerability can't be patched via a security update. In September, the checkra1n, based on Checkm8, was officially released and promoted as an easy way to jailbreak iOS devices. A second issue, called the blackbird vulnerability and disclosed by team Pangu in August, allows hackers to bypass the secure boot of the secure enclave processor to circumvent this check. Once you have access on the T2, you have full root access and kernel execution privileges since the kernel is rewritten before execution. Hackers can inject a keylogger in the T2 firmware since it manages keyboard access, storing your password for retrieval.
Apple hasn't publicly acknowledged the flaw so we don't know if a fix is in the works. To protect your devices, don't plug in USB-C devices from non-name brands since the flaw requires physical access to your device. Be careful not to leave your Mac system where someone might have easy access to it.