Apple’s T2 Security Processor Has an Unpatchable Security Flaw

This site may earn affiliate commissions from the links on this page. Terms of use.

Apple loves to market itself on security and does so more often than most firms. This is always a risky proposition because nothing yells “Please attack me!” more loudly than advertising the strength of one’s security implementation. In this case, security researchers have found a problem in Apple’s T2 security chip that the company will not be able to patch. As far as anyone is aware, it exists on every T2-equipped system.

Now, one thing to know up-front about this attack is that it’s going to be more of interest to state actors than common hackers. The exploit isn’t persistent, which means booting the machine in this mode requires a malicious USB-C cable or other device loaded with malicious software. Individuals using FileVault2 should be aware this security breach doesn’t grant access to your data — but one of the things an attacker could do with the machine is load a keylogger into the T2 security processor and store your passwords for later retrieval.

The security researcher who published the exploit, axi0mX, writes that the flaw allows an attacker to whitelist any kernel extension, load a keylogger directly into firmware, and potentially achieve a semi-tethered exploit, though this seems of limited value in-context unless the malicious USB-C cable could also function as the Mac’s primary power cable and somehow do its dirty work that way. This scenario is not addressed in the blog post but we can assume any laptop is being plugged in on a regular basis.

The standard Mac boot process. Nonstandard rooted implementation not shown

axi0mX writes: “I have sources that say more news is on the way in the upcoming weeks. I quote: be afraid, be very afraid.”

Whether that’s actually true, I guess we’ll see. According to the researcher, he approached Apple about this problem, reached out to Tim Cook personally, and attempted to raise the issue with…