Axi0mx

[Shanta Plansinis]

Thefollowing post is an industry analysis of the code and research performed by twitter.com/axi0mx, twitter.com/h0m3us3r, twitter.com/aunali1, twitter.com/mcmrarm and twitter.com/su_rickmark who poured endless hours of work into this, allowing companies and users to understand their risks concerning this issue.

In case you are using a recent macOS device, you are probably using the embedded T2 security chip which runs bridgeOS and is actually based on watchOS. This is a custom ARM processor designed by Apple based on the A10 CPU found in the iPhone 7.The T2 chip contains a Secure Enclave Processor (SEP), much like the A-series processor in your iPhone will contain a SEP.

boot.efi is ran which loads the Darwin kernel (throwback to BSD) (or Boot Camp if booting Microsoft Windows) & IODevice drivers. If a kernel cache is found in /System/Library/PrelinkedKernels/prelinkedkernel, it will use that.

As you probably all already know, Apple pushes forward privacy & security as important weapons in todays world of technology.They tout their devices as highly secure and vouch to handle your personal data using a privacy-centric approach.While there have been mistakes made in the past (who can blame them?), Apple has been generally quick to fix any security issues that were disclosed to their responsible disclosure program or in public.

Jailbreaking has been a big thing in the iOS for a long time. The process of exploiting vulnerability flaws in your iPhone or iOS installation is a popular way of completely customizing your otherwise pretty trimmed down iPhone.There even are jailbreak app stores to download modified apps or a very active salesmarket for tweaks, to tweak your system or apps in some way.

The mini operating system on the T2 (SepOS) suffers from a security vulnerable also found in the iPhone 7 since it contains a processor based on the iOS A10. Exploitation of this type of processor for the sake of installing homebrew software is very actively discussed in the /r/jailbreak subreddit.

So using the checkm8 exploit originally made for iPhones, the checkra1n exploit was developed to build a semi-tethered exploit for the T2 security chip, exploiting a flaw. This could be used to e.g. circumvent activation lock, allowing stolen iPhones or macOS devices to be reset and sold on the black market.

Normally the T2 chip will exit with a fatal error if it is in DFU mode and it detects a decryption call, but thanks to the blackbird vulnerability by team Pangu, we can completely circumvent that check in the SEP and do whatever we please.

Since sepOS/BootROM is Read-Only Memory for security reasons, interestingly, Apple cannot patch this core vulnerability without a new hardware revision.This thankfully also means that this is not a persistent vulnerability, so it will require a hardware insert or other attached component such as a malicious USB-C cable.

Every Apple iDevice (which includes the T2 and the Watch, via a port under the band) ships with a firmware recovery USB interface called Device Firmware Update (DFU), which is triggered when the device is not be able to boot or by pressing a particular set of buttons when turned on. It is always available because it is code run from SecureROM. This is the mode in which checkm8 runs.

Apple also leaves the ability to access various debug functionality which is disabled on production devices unless a special boot payload is used which runs in DFU. Since Apple is the only one who can sign code for DFU, they can demote any device they like, including the most recent A14 processors.But since the checkm8 vulnerability runs so early in the boot process, we too can demote the T2 into DFU mode.Without checkm8, we would not be able to run unsigned code in DFU and thus not be able enable debug interfaces. Once the debug interface is enabled Apple uses specialized cables with simian names (see Chimp, Kanzi, Gorilla).

Once you have access on the T2, you have full root access and kernel execution privileges since the kernel is rewritten before execution.Good news is that if you are using FileVault2 as disk encryption, they do not have access to your data on disk immediately.They can however inject a keylogger in the T2 firmware since it manages keyboard access, storing your password for retrieval or transmitting it in the case of a malicious hardware attachment.

While this may not sound as frightening, be aware that this is a perfectly possible attack scenario for state actors.I have sources that say more news is on the way in the upcoming weeks. I quote: be afraid, be very afraid.

Wait for a fix, keep an eye on the checkra1n team and be prepared to replace your Mac.Be angry at news websites & Apple for not covering this issue, despite attempts from me and others to get them to report this matter.

3a8082e126