Apple has long made much of their Secure Enclave Processor in their iPhones and more recently Macbooks’ but today hackers announced an “unpatchable” exploit for the processor which theoretically could give them full control over devices protected by the chips, including decrypting sensitive data.
The exploit combines two earlier vulnerabilities (heckm8 and Blackbird) used to jailbreak iPhones, with the hack allowing them to run code inside the T2 security chip at boot time.
According to hacker ironPeak, Apple left a debugging interface open in the T2 security chip shipping to customers, allowing anyone to enter Device Firmware Update (DFU) mode without authentication.
Currently jailbreaking a T2 security chip involves connecting to a Mac/MacBook via USB-C and running version 0.11.0 of the Checkra1n jailbreaking software during the Mac’s boot-up process.
However “using this method, it is possible to create an USB-C cable that can automatically exploit your macOS device on boot,” ironPeak said.
Due to the hack being hardware-based it is “unpatchable” and iPhone and Mac users are vulnerable if they leave their device out of their sight, such as passing through customs. It presents it still does require your device to be rebooted.
“If you suspect your system to be tampered with, use Apple Configurator to reinstall bridgeOS on your T2 chip described here. If you are a potential target of state actors, verify your SMC payload integrity using .e.g. rickmark/smcutil and don’t leave your device unsupervised,” ironPeak said.
Read more at Ironpeak’s site here.