Can hackers jailbreak Apple's T2 security chip?

Security researchers have confirmed that by combining two exploits that were initially developed to jailbreak iPhones, hackers can also jailbreak Macs and MacBooks that come with Apple’s latest T2 security chips.

T2 chips were announced in 2017 and began shipping with all Apple devices sold since 2018.

The hacking process is admittedly complex, but the technique of combining the two exploits has been mentioned on Twitter and Reddit over the past few weeks, reads a tech report. And it has also been tested and confirmed by several of Apple’s top security and jailbreaking experts.

If exploited correctly, this jailbreaking technique allows users/attackers to gain full control over their devices to modify core OS behaviour or be used to retrieve sensitive or encrypted data, and even plant malware.

Their role is to function as a separate CPU, also known as a co-processor. By default, they handle audio processing and various low-level I/O functions in order to help lift some load off the main CPU.

However, they also serve as a "security chip" - as a Secure Enclave Processor (SEP) - that processes sensitive data like cryptographic operations, KeyChain passwords, TouchID authentication, and the device's encrypted storage and secure boot capabilities.

In other words, they have a significant role in every recent Apple desktop device, where the chips underpin most security features.

Over the summer, security researchers have figured out a way to break T2s and found a way to run code inside the security chip during its boot-up routine and alter its normal behaviour.

The attack requires combining two other exploits that were initially designed for jailbreaking iOS devices - namely Checkm8 and Blackbird. This works because of some shared hardware and software features between T2 chips and iPhones and their underlying hardware.

According to a post from Belgian security firm ironPeak, jailbreaking a T2 security chip involves connecting to a Mac/MacBook via USB-C and running version 0.11.0 of the Checkra1n jailbreaking software during the Mac's boot-up process.

Per ironPeak, this works because "Apple left a debugging interface open in the T2 security chip shipping to customers, allowing anyone to enter Device Firmware Update (DFU) mode without authentication."

"Using this method, it is possible to create an USB-C cable that can automatically exploit your macOS device on boot," ironPeak said.

This allows an attacker to get root access on the T2 chip and modify and take control of anything running on the targeted device, even recovering encrypted data.

The danger regarding this new jailbreaking technique is pretty obvious. Any Mac or MacBook left unattended can be hacked by someone who can connect a USB-C cable, reboot the device, and then run Checkra1n 0.11.0.

However, the new jailbreaking method also opens the door for new law enforcement investigation tools that could allow investigators to access suspects' Macs and MacBooks to retrieve information that would have been previously encrypted.

Unfortunately, since this is a hardware-related issue, all T2 chips are to be considered unpatchable.

The only way users can deal with the aftermath of an attack is to reinstall BridgeOS, the operating system that runs on T2 chips.