Wednesday, October 7, 2020

checkra1n T2 Exploit

Niels Hofmans (Hacker News, MacRumors):

The mini operating system on the T2 (SepOS) suffers from a security vulnerable also found in the iPhone 7 since it contains a processor based on the iOS A10. Exploitation of this type of processor for the sake of installing homebrew software is very actively discussed in the /r/jailbreak subreddit.

So using the checkm8 exploit originally made for iPhones, the checkra1n exploit was developed to build a semi-tethered exploit for the T2 security chip, exploiting a flaw. This could be used to e.g. circumvent activation lock, allowing stolen iPhones or macOS devices to be reset and sold on the black market.

Normally the T2 chip will exit with a fatal error if it is in DFU mode and it detects a decryption call, but thanks to the blackbird vulnerability by team Pangu, we can completely circumvent that check in the SEP and do whatever we please.

Since sepOS/BootROM is Read-Only Memory for security reasons, interestingly, Apple cannot patch this core vulnerability without a new hardware revision. This thankfully also means that this is not a persistent vulnerability, so it will require a hardware insert or other attached component such as a malicious USB-C cable.


I’ve reached out to Apple concerning this issue on numerous occasions[…]. Since I did not receive a response for weeks […] I am hereby disclosing almost all of the details. You could argue I’m not following responsible disclosure, but since this issue has been known since 2019, I think it’s quite clear Apple is not planning on making a public statement and quietly developing a (hopefully) patched T2 in the newer Macs & Silicon.

Dan Moren:

Strafach says that the T2 is indeed vulnerable to checkm8, and has been for some time, meaning that those with physical access to your computer can essentially reboot it into the device firmware upgrade (DFU) mode, and then execute arbitrary code.

However, Strafach also points out that what’s less clear is whether the arbitrary code will will last through a reboot:


People should really chill down regarding T2 publicly exploited. The vulnerability has been public for more than a year now and always been there on T2. Moreover, there are plenty of other vulnerabilities, including remote ones that undoubtedly have more impact on security.

If anything, our exploit enables researches to explore the internals more closely, possibly uncovering other issues that may lead to greater security on the mac; as well as allowing better repairability for otherwise pricy repairs or worse, issues Apple bluntly refuses to handle.


The biggest issue with this is that Apple cannot patch it via an update like most of other security issues

Update (2020-10-09): See also: Patrick Wardle.

Update (2020-10-14): Ben Lovejoy (tweet, also: MacRumors):

The T2 exploit team who found a way to take over the security chip in modern Macs has demonstrated a way to do so without user intervention — using nothing more than a modified USB-C cable.

The ad-hoc team, who call themselves Team t8012 after Apple’s internal name for the chip, believe that nation-states may already be using this approach.

10 Comments RSS · Twitter

So on more or less the same day we have Netflix saying that a T2 chip is required to play 4K videos as an anti-piracy measure that is more than a little annoying for all the other Mac users paying for Netflix, and that the T2 chip can readily be compromised, presumably defeating whatever anti-piracy measure Netflix is relying on, leaving just the annoyance…

The emperor's clothes are looking rather thin... Apple likes to pretend that it's good at security. But it gets so much wrong, both with its own hardware, and online:

Old Unix Guy: Are you claiming they're *not* good at security? By what metrics? On the face of it, I'd say it looks pretty good to have a bounty program, and security exploits that got fixed in only a few hours.

We'd all prefer to have fewer security holes, of course, but it's obviously not at issue that they have any at all. I'm sure every big company does. I've never once read a write-up from a professional tiger team that said "We attacked this company's computer networks for 3 months and found zero exploits."

This isn't The Emperor's New Clothes, unless I'm misremembering that story and it was about an emperor wearing a robe with a few holes in it, and when a kid pointed them out, the emperor patched them right away, and then paid the kid $50,000 for the help, and gave permission for the kid to write a newsletter about each of the holes and distribute it around the kingdom.

Yes, Sam, sorry to burst your bubble, but I believe that not only does Apple like to claim they are better at security than their competitors, but also that they aren't. Some of these bugs are incredibly trivial. These bugs are not wizardry, they're intern-made-a-mistake type errors.

Five security professionals were paid $50k for 15 months of work. (Finding bugs no one knows about takes time.). These were very nice guys who clearly weren't out to make a buck. They each got $10k for their efforts ($40k per year). The fact they got access to the iOS source code so easily makes me judge it extremely unlikely that others who are motivated by money haven't exploited this or other similar holes previously to download said source-code. There is a very good incentive for less scrupulous people to do so: each iOS exploit can sell for millions of dollars, and having the source-code makes finding exploits easier.

In my book, if you claim to have good security, you'd better have great evidence that you do. If you charge higher prices for the appearance of security which is not real, you're cheating your customers and those companies which actually do create secure software. Developing secure software is difficult, and costs a lot more. It can be done ( ) and Apple has enough money to do it, but they don't.

Old Unix Guy-
Windows, by comparison. A vast wasteland of exploits and vuln's.
Mac is absolutely worth the extra $$.
No Auto-updates (unless YOU choose)

Have you used windows?

Old Unix Geek

@max merch

You're comparing MacOS to Windows. However what I was mostly referring to are all the online-services (iCloud) etc, which got hacked in the article I linked to. That's relevant because Apple pushes people to use them.

Yes I've used Windows many times in my career. Most recently, I had no choice because Apple dropped CUDA support. Windows 10 professional wasn't as bad as I expected. Defrag is automatic on Win10 when needed (it's not needed for SSD drives). And I prefer some of the 3rd party software on it.

As to vulnerabilities, OpenBSD or Linux are even better than MacOS. Unix has historically been more secure than Windows, however it is not bullet proof. A lot of the difference in terms of the number of exploits is simply that fewer people use the Mac, particularly fewer businesses, which makes it less attractive to hack. Apple's new "solution" is app-signatures, which does not provide actual security, and is only of some value when mitigating a problem once it has been detected. True security actually is hard and takes work (see my SeL4 link). Apple has never provided that, only something better than Windows. For a while, Mac was the sweet point, but it is catching down to Windows... and I I'm grumpy because I expect software to get better like hardware does.

Developing secure software is difficult, and costs a lot more. It can be done ( ) and Apple has enough money to do it, but they don’t.

The big question is always how much more scrutiny other systems would get if they had as many sales.

I’m also not sure what you’re trying to say with your link. Mathematical proof in the context of non-trivial software is often prohibitively expensive, and your assertion that Apple could afford to isn’t, ironically, proven.

For a while, Mac was the sweet point, but it is catching down to Windows… and I I’m grumpy because I expect software to get better like hardware does.

This I agree with. Apple software quality needs to do better.

Mathematical proof in the context of non-trivial software is often prohibitively expensive, and your assertion that Apple could afford to isn’t, ironically, proven.

I would say SeL4 is non-trivial software (an operating system kernel) developed by NICTA, which relied on Australian government grants (i.e. not much money). Apple is a 2-trillion dollar company (and has a lot of cash). Therefore, it seems reasonable to state that Apple can afford to do this work, if they so choose. I assume they didn't do this work for the operating system that they run on their "secure chips", since it was hacked.

Trust is a finite resource, and when people make grandiose but false claims about their technology, it hurts everyone else in the rest of the field, particularly anyone trying to actually solve real problems. It's basically a form of theft: stealing the credibility of an entire field for the sake of one's own short term financial gain. If customers shunned such behavior, companies would be forced to deliver what they promised and things would improve. Therefore it is to society's benefit not to stay silent on the grandiose but false claims of companies, or individuals for that matter. If companies don't want to invest in software security, so be it, but then everyone else should not tolerate any claims they make about how wonderful their security is.

Also, formal verification for SeL4 wasn't as expensive as one might think:

The researchers state that the cost of formal software verification is lower than the cost of engineering traditional "high-assurance" software despite providing much more reliable results. Specifically, the cost of one line of code during the development of seL4 was estimated at around US$400, compared to US$1,000 for traditional high-assurance systems.

(from )

So Apple re-invented Palladium for their Hollywood friends and mainly triages user bugs. How is this quality? How many of you get “help Apple test” spam from a multi-trillion dollar company? This “new Apple” does “Not Invented Here” better than MSFT ever did.

Do you honestly think the “new hardware” is worth it or that Apple is “good at security?”

Old Apple actually was. They didn’t deprecate UNIX core functionality like... uh, *host files* for no reason whatsoever.

But my favorite part of running macOS in the last year is that it only has max 3 days of uptime before I have to reboot or hard shutdown. It doesn’t matter how “good” the new hardware is if the OS is a joke. And Catalina is (still) a joke.

Leave a Comment