Feedback & Followups
- Social Media Updates
- Facebook bans QAnon across its platforms — www.nbcnews.com/…
- Instagram has improved it’s anti-bullying protections a little — about.instagram.com/…
Deep Dive — T2 Jailbreak Update – The Other Shoe Drops
Last week we talked about the fact that the T2 chip could be jailbroken, and that it had been added to the checkra1n jailbreak, but that there did not seem to be any security implications. It seemed all you could do was customise the Touchbar.
A lot can change in a week!
Armed with the jailbreak we learned about last week security researchers went to work to see what they could do — the answer is, a lot 🙁
Attackers can use the un-patchable flaws in the T2 chip to:
- Bypass activation lock, allowing a stolen Mac to be re-used after all
- Bypass firmware passwords
- Indirectly bypass full disk encryption by adding a keylogger to the EFI firmware and waiting for the owner to log in at least once (perfect for an evil maid attack, but no use for trying to break into a stolen or ceased computer)
- Bypass secure boot, allowing Macs to boot un-signed OSes, including booby-trapped versions of macOS
- Execute malicious code during the boot process, potentially injecting malware into an otherwise clean OS as the OS boots
I should also note that there is some speculation that perhaps the vulnerability could be used to speed up brute-force attacks on FileVault full disk encryption. That has yet to be proven, and a strong password would seem to provide a good defence against that potential attack.
As bad as all that sounds, the sky is not falling, and the risk to regular folks is quite low. Why? Because to exploit this flaw, attackers need physical access to your computer, and the Secure Enclave has not been compromised.
Another important subtlety to note is that the jailbreak is not permanent. Like Checkra1in on iOS devices does not survive a reboot, Checkra1n on T2 chips also doesn’t survive a reboot. The problem is that the T2 chip rarely reboots itself. It actually remains powered on even when the Mac it’s installed in is powered off. According to security researchers, the only way to be absolutely certain any exploit of a T2 chip has been completely removed is to follow these instructions from Apple to completely re-install all the Mac’s firmwares.
Oh, and in case you’re wondering, the older T1 is not affected by this bug.
This means that when it comes to activation lock, secure boot, keyloggers, boobytrapped OSes, etc., a T2 Mac is now as ‘insecure’ as every Mac before the invention of the T2 chip was, and as every Mac without a T2 chip is. The T2 chip brought added security to Macs, above and beyond what we had already, and above and beyond what non-T2-Macs have today. Some of that additional protection has now fallen away, but not all of it. The addition of a secure enclave to Macs with T2 chips still adds some additional security over non-T2-Macs — most notably, TouchID, and the secure storage of private keys for things like encryption.
The flaws being exploited here are literally burned into the current T2 chip. A key part of its security is that it cannot be altered, but, the price we pay for that protection against tampering is that there is no way to fix bugs!
Apple can manufacture new T2 chips with fixed firmware burned into them, but they can’t fix any of the millions of existing T2 chips out there. There has been no word from Apple about what they’ll do, but I expect they’ll soon release updated T2s, or perhaps even new T3 chips with additional features.
The bottom line — unless you’re a high-value target this is only really likely to impact you should your Mac get stolen, in that situation attackers can’t steal your data, but they can disable activation lock and profit from selling your computer. If you are a high-value target, don’t ever let your Mac out of your physical control, and replace your Mac as soon as Apple release updated models with patched T2s or replacement T3s.
Links
- Apple’s T2 Security Chip Has an Unfixable Flaw — www.wired.com/…
- Apple’s T2 chip has unpatchable security flaw, says researcher — www.imore.com/…
- T2 vulnerability report had ‘inaccurate’ technical details, says team behind research — www.imore.com/…
- checkra1n and the T2 — blog.rickmark.me/…
- 🎧 Mac security researcher extraordinaire Patrick Wardle interviewed about this jailbreak by Ken Ray: Checklist 202 – The T2 Vulnerability with Patrick Wardle — overcast.fm/…
Notable News
- DuckDuckGo has released privacy-friendly driving and walking directions based on Apple maps — www.macobserver.com/…
- 🇺🇸 The IRS Is Being Investigated for Using Location Data Without a Warrant — www.vice.com/…
Top Tips
Excellent Explainers
Interesting Insights
- Ad Tech Could Be the Next Internet Bubble — www.wired.com/…
- Six Reasons You Should Delete WhatsApp — www.vice.com/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |