Oct 14, 2020 16:15:00

Utilizing the vulnerability of security chip 'T2' that Apple's Mac series is hacked only by USB

Apple's proprietary security chip, the

T2 , is central to the security of Mac products, as it turns out to be needed to play Netflix 4K quality movies on the Mac. The hacking team, t8012 Development Team , reports that they have successfully jailbroken the T2 chip using a modified USB device and the jailbreak tool ' checkra1n ' for Apple products.

Plug'nPwn --Connect to Jailbreak
https://blog.t8012.dev/plug-n-pwn/

A custom USB-C cable can jailbreak the T2 chip in a MacBook Pro | AppleInsider
https://appleinsider.com/articles/20/10/13/a-custom-usb-c-cable-can-jailbreak-the-t2-chip-in-a-macbook-pro

T2 exploit team demos a cable that hacks Mac w / o user action --9to5Mac
https://9to5mac.com/2020/10/13/t2-exploit-team/

The jailbreak tool 'checkra1n' for Apple products is compatible with the OS 'Bridge OS' for T series chips, so it is now possible to access the T2 chip and operate the Touch Bar via the T2 chip. However, jailbreaking with checkra1n required a step for the user to switch the Mac device to ' device firmware update (DFU) mode', which could not be hacked without user interaction.

Jailbreak tool supports Apple's Mac security chip 'T2', enabling intrusion into Touch Bar-GIGAZINE

This time, the team 't8012 Development Team' that hacks the T2 chip reports that it succeeded in jailbreaking the T2 chip just by connecting a modified connector to the USB-C port of the Mac device. A demo movie of jailbreaking the MacBook Pro's T2 chip via USB has been released.

T2 Plug'NPwn --YouTube


When you connect the connector to the USB-C port of your MacBook Pro ...

The screen of the MacBook Pro disappeared, and the monitor on the left showed the analysis.

The word 'DFU device connected' is displayed on the monitor, indicating that the MacBook Pro has been successfully entered into DFU mode without any special user action.

Jailbreak by checkra1n was done as it was, and hacking was successful. In the movie, I log in to bridgeOS with SSH and display the kernel information.

We have also succeeded in changing the boot logo via the T2 chip.

The image below shows the pinout of the MacBook series USB-C port. 'CC1' and 'CC2' are pins used to control the power supply standard '

USB Power Delivery (USB PD) ', but the t8012 Development Team can reboot the T2 chip or switch to DFU mode via this pin. He said he discovered a possible, Apple-specific instruction. It seems that the instructions via USB PD did not have an authentication function and were not documented.

Among Mac products, laptop-type devices have a T2 chip and keyboard directly connected, so by exploiting the vulnerability discovered this time, an attack such as loading a keylogger into a Mac product from a hacking device disguised as a charger Will be possible. “Apple needs to document the vendor-specific messages used in Mac products so that consumers can understand the security risks,” points out the t8012 Development Team.