Checklist 202: The T2 Vulnerability with Patrick Wardle
This week’s big news: an “unpatchable” hardware vulnerability affecting Apple’s T2 security chip! But how serious is it, really? We spoke with Mac security expert Patrick Wardle to separate the facts from the clickbait headlines. We’ll cover:
Parsing the T2 story
The Apple security community was abuzz this week with news of an unpatchable vulnerability in the T2 security chip found in newer Macs.
To begin with, a quick refresher: The T2 chip is essentially a co-processor that handles much of the Mac’s security functionality, including things like Touch ID and integrity checking (i.e. making sure that other components in the boot process haven’t been tampered with).
So what is this vulnerability that affects such a crucial part of the Mac’s security? According to the researchers who discovered it, it’s the same flaw that led to the checkm8 jailbreak on iOS, which affects all older iOS devices running on A5 to A11 processors.
Like checkm8, the newly discovered T2 vulnerability can’t be exploited remotely: a would-be bad actor would have to have physical access to a target Mac, and would need to connect a USB-C cable attached to some sort of secondary attack machine.
Checklist listeners are accustomed to hearing about vulnerabilities, of course, but the idea of an “unpatchable” vulnerability may seem odd — after all, why doesn’t Apple just issue an update?
We asked noted Mac security expert Patrick Wardle to weigh in. Wardle is a Principal Security Researcher at Jamf, a company that does Apple device management for businesses and organizations. He is also an author, blogging regularly at his website, Objective-See, and currently working on a book about Mac malware called The Art of Mac Malware: Analysis.
Wardle explains why a patch is simply not an option in this case:
“The reason that this isn’t patchable is because the code that is flawed — that allows the checkm8 exploit to exploit the T2 chip — is actually burned onto that chip at the factory. It’s stored in something called “read-only memory” (ROM), which basically means that code cannot be modified. It’s immutable. This means that even after Apple has understood the flaw, they can’t actually update the code on these chips.”
It may sound strange to have a component that contains immutable code, but when you consider the role that T2 plays in verifying that other parts of the boot process are legitimate — including the operating system — then it makes sense that the chip itself is designed to be unalterable. As Wardle puts it:
“It would be problematic, from a security standpoint, if the operating system could update or modify the T2 chip, because that would become a potential attack vector.”
The “good news” is that flaw should be reasonably easy to fix, at least from a chip design and architecture perspective — though of course that doesn’t help users who already have vulnerable T2 chips in their devices. In terms of what lies ahead, it’s not possible for anyone outside of Apple to say anything with complete certainty, but it’s reasonable to assume that newer Macs, and especially the forthcoming Apple Silicon Macs, will not contain the vulnerability, since Apple will probably just begin using upgraded T2 chips (i.e. chips that don’t contain the vulnerable code) at their manufacturing facilities.
T2 and you
If you have a newer Mac with a T2 chip, then this vulnerability affects you — at least in theory.
But the security researchers who uncovered the issue with T2 were careful to point out that there are likely other vulnerabilities that will have a far greater real-world impact on everyday Mac users than this one.
As mentioned above, in order for an attacker to exploit this T2 vulnerability, they would have to have physical access to a Mac. As Wardle points out, this is already a pretty big advantage for a bad guy to have — so much so that the basic attitude in the world of infosec has long been:
“If someone has physical access to your device, it’s kind of ‘game over’”.
In other words, while someone with physical access to a vulnerable Mac would likely be able to subvert the device’s protections, the fact that they had the Mac in their possession in the first place would mean that they’d already compromised the user in a pretty fundamental way.
This also means that the best advice on how to keep yourself safe from this vulnerability is both simple and practical: protect your device! Be mindful of scenarios where strangers might have physical access to your Mac for prolonged periods, and take extra care to avoid situations where your computer might be lost or stolen.
In addition, you may want to consider enabling FileVault on your Mac. While researchers still aren’t 100% sure about the extent to which this could safeguard valuable data from the T2 bug, there are early indications that it might provide some extra protection that would mitigate the potential impact of the vulnerability.
The Checklist would like to thank Patrick Wardle for taking the time to talk with us. To learn more about Patrick’s work, follow him on Twitter. To read Patrick’s technical writing, check out his award-winning blog at Objective-See, or visit taomm.org to read excerpts from his forthcoming book.
That brings us to the end of another Checklist. Take a moment to browse our archives if you’d like to listen to past podcasts or read through the show notes — and as always,drop us a line if you’d like to suggest a topic for a future show or ask a security question for us to answer on an upcoming episode.