The majority of Mac models released since 2018 to date have contained a T2 security chip.
Apple makes a number of security claims about this chip, stating that “the T2 chip enables a new level of security by including a secure enclave coprocessor that secures Touch ID data and provides the foundation for new encrypted storage and secure boot capabilities.”
Little did Apple know that the T2 chip also contains flaws that inadvertently make Macs less secure and more susceptible to serious local attacks. Apple cannot fix these flaws via a firmware update, so affected Macs are unpatchable and will remain vulnerable.
Belgian cybersecurity consulting firm ironPeak, which wrote a detailed overview of the problem, summarizes several of the ways an attacker could leverage the T2’s design flaws:
TL;DR: recent Macs (2018-2020, T2 chip) are no longer safe to use if left alone and physical access was possible, even if you had them powered down.
• The root of trust on macOS is inherently broken
• [An attacker] can bruteforce your FileVault2 volume password
• [An attacker] can alter your macOS installation [i.e. install malware]
• [An attacker] can load arbitrary kernel extensions
A team of security researchers discovered that it’s possible to borrow exploits used for iPhone jailbreaking to attack the T2 chip. This is possible in part because the T2 is based on the A10 chip in the iPhone 7 and 7 Plus, two iPad models (6th and 7th generation), and the current iPod touch (7th gen).
By leveraging the checkm8 exploit and blackbird vulnerability, a local attacker can gain full root access and kernel execution privileges on any Mac with a T2 chip.
Since the flaw resides in read-only memory (ROM), Apple cannot simply release a firmware patch to protect affected Macs. According to researchers, Apple would need to physically replace hardware to fix the issue.
Thankfully, FileVault 2 full disk encryption isn’t completely broken; an attacker still needs your password to access a FileVault-encrypted disk. However, an attacker could obtain that password by injecting a keystroke logger into the T2 firmware.
It’s also noteworthy that the flaw does require an attacker to have physical access to a Mac.
As scary as they may seem, most Mac users probably don’t need to worry too much about the T2 flaws.
If you’re a politician, activist, journalist, government employee, someone with access to highly sensitive information or trade secrets, or if you travel internationally to certain countries, you’re more likely to be targeted by a sophisticated threat actor. Most other Mac users probably shouldn’t lose sleep over T2 exploits.
However, if you’re concerned about such attacks, there are a few things you can do to help protect your Mac from exploitation.
Introducing the OMG Keylogger Cable!
Follow along for early access. It took us over a year to create, and we are happy to announce it during @defcon once again.
More info: https://t.co/jASPCwJPGE pic.twitter.com/AD5m6XwLOj
— _MG_ (@_MG_) August 7, 2020
For many more technical details about the T2 flaws, you can refer to ironPeak’s write-up: Crouching T2, Hidden Danger.
You can also follow Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 
