Safe chip t2 in mac: keylogger breaks local shutters
The security researcher niels hofmans has demonstrated how vulnerabilities in apple’s t2 secure chip can be exploited in practice. First, he uses a well-known luck to attack the boot process. Then he bypasses an apple-integrated security routine, which actually acknowledges precooling attempts in the device firmware update mode (dfu) with a crash of the operating system (sepos) of the chip. He managed to get full root access including kernel execution rights.
That apple’s safe chip t2, which is in all current macs and, among other things, ensures ssd hardware shutters, with security, is already known. These are therefore problematic, therefore, because they do not simply migrate from the manufacturer by updating – the included os is poured into hardware. The processor is based on apple’s a10, which is already on duration jailbreaks.
Safe chip improves the user
Although hofmans could not directly crack this type apple filevault 2 cap. However, he succeeded in placing a keylogger directly in the t2 chip, as it is stated for the control of the keyboard for safety limits for the control of the keyboard. So it was possible to simply steal the password – even that of the firmware of the mac.
In addition, hofmans succeeded, according to their own statements, to remove various apple security functions with their exploit. This is what mobile device management (mdm), which use many companies, as well as the anti-theft function "find my mac". After all, the shady code is not persistent because it runs only in memory; sepos itself is read-only. Hofmans estimates that attackers were able to use a manipulated usb device to get access to the mac – the necessary hardware fits with a plug in a plug.
Not out of the distance
However, as is relevant to the attack in practice, however, remains controversial. As far as foreseeable, there is no possibility to exploit the leach from afar. An attacker requires physical access to the machine to be crunched, simply exploits to be used does not exist so far. In addition, several security swags are combined with each other, which complicates the imitation of the process. Data forums were allowed to pursue the methodology but certainly with gross attention.
Hofmans has already contacted apple, but so far nothing has been heard. Normal users remains to be recommended not to leave their mac unattended – and usb-c accessories are not easy to blind.