A Custom USB-C Cable Can Jailbreak The T2 Chip In A MacBook Pro

Credit: Apple

21 Facebook x.com Reddit

Last updated 4 years ago

The security researchers that found a vulnerability in Apple's T2 chip have developed an exploit using a clone of an internal debugging cable that can hack a Mac without user action.

Earlier in October, the checkra1n team developed the unfixable vulnerability that essentially allows an attacker to jailbreak the T2 security chip in a Mac. Once they do, all types of malicious attacks can be carried out on an affected macOS device.

Now, the team has demoed a real-world attack that takes advantage of a technique similar to one leveraged by specialized USB-C cables used internally by Apple for debugging.

As depicted in a YouTube video, and accompanying blog post, the exploit causes a machine to shut down once the cable is plugged in. From there, it's placed into DFU mode and checkra1n is run to achieve a root SSH session. A second video posted to the team's YouTube account showed that the attack was successfully carried out by modifying the Apple logo at boot.

The attack is carried out by software reverse engineered from specialized debug probes, which are used by Apple and known under internal code names such as "Kong," "Kanzi," or "Chimp." These cables work by allowing access to special debug pins within a USB port for the CPU and other chips.

These "Chimp" or "Kanzi" cables have leaked from Cupertino and Apple retail in the past. Security researcher Ramtin Amin created an effective clone of the cable, dubbed a "Bonobo" and used in the video. Combined with the checkra1n team's exploits, it allows for this type of attack to be carried out.

Although the video demonstration shows them modifying the Apple logo, the team notes that the same exploit can be used to replace a device's EFI and upload a keylogger. That's possible because a mobile Mac's keyboard is connected directly to the T2 chip.

The proof-of-concept exploit was disclosed by checkra1n security researchers Rick Mark, Mrarm, Aun-Ali Zaidi, and h0m3us3r. The team also announced that a version of the cable will soon be available for sale.

Who's at risk, and how to protect yourself

As noted earlier, these specialized debug cables can sometimes be found in the wild. With a commercial clone soon to be available, there's a good chance that most Mac models on the market with a T2 chip could be vulnerable.

Of course, the attack requires direct physical access to a Mac, which rules out most types of scenarios for the average user.

However, users who may find themselves targeted by nation-states or cybercriminals should ensure that they have keep their Mac safe by maintaining physical security of the device.

Follow AppleInsider on Google News 21 Comments

21 Comments

Solely physical security means no security for any mobile devices, period.

I try and stay off nation states raider as a matter of principle so I expect my kitchenware browsing history is safe.

Link to the source in case anyone doesn't know where to find it:https://blog.t8012.dev/plug-n-pwn/

JFC_PA said: I try and stay off nation states raider as a matter of principle so I expect my kitchenware browsing history is safe.

Terrible way to live "I don't have much to worry about, because I have nothing to hide!" We must fight for our freedoms as every government tries to impede on those in the name of National Security or more recently the Trump admin's DOJ - child exploitation.

I'm pretty sure that when people "jailbreak" their iPhones, the changes persist after a reboot. As the original article pointed out, the T2 cannot be updated--everything on the chip is read only. So it's not accurate to say that the T2 can be jailbroken.

Read More on our Forums ->

Top Stories

Amazon's Apple Black Friday deals offer season's best prices

Black Friday price cut drops M4 Pro MacBook Pro down to $1,749

Mac mini M4 Pro review: Mac Studio power, miniaturized

Black Friday streaming deals slash Disney+, Max, Hulu, Paramount+ to as low $0.99/mo

Save $300 on the Apple Studio Display today

16-inch MacBook Pro M4 Max review: The pinnacle of the portable Mac

Apple's new M4 MacBook Pro drops to record low $1,399

Latest Exclusives

Apple Intelligence — The test applications that paved the way for Apple's generative AI

iPhone 16 features and designs that didn't make it out of prototyping

Apple's iPhone 16 case covers the new Capture Button, Spigen follows suit

Latest comparisons

M4 14-inch MacBook Pro vs M3 14-inch MacBook Pro compared: A portable speed boost

M4 Mac mini vs 2018 Intel Mac mini compared: It's time to move to Apple Silicon

M4 iMac vs 2019 Intel iMac compared: Five years makes a big difference

• iPhone 15
• iPhone 16
• iOS 18 Review
• Apple Vision Pro
• MacBook Pro Deals
• MacBook Pro
• AirPods
• iPad
• Mac mini
• iPhone VPN
• MacBook Air

Latest News

Best Black Friday Apple Watch Ultra 2 deal lands at $619.99

Amazon has issued its best early Black Friday Apple Watch Ultra 2 deal this Thanksgiving, dropping styles with a natural titanium finish to $619.99.

Christine McKee | 10 seconds ago 0

Apple's best-selling M3 MacBook Air 512GB drops to record low price for Black Friday

Amazon and Best Buy are battling for the lowest price on Apple's best-selling M3 MacBook Air with 512GB of storage.

Christine McKee | 6 hours ago 0

Apple Watch Ultra Black Friday Deal: Amazon Renewed model drops to new low $379.99

Amazon's Black Friday deals aren't limited to just brand-new Apple products. You can save even more on this Amazon Renewed Apple Watch Ultra in excellent condition that's marked down to $379.99.

Christine McKee | 8 hours ago 0

Rokid Max 2 AR Glasses review: Hardwire shines, software needs polish

Rokid's upcoming AR glasses have an innovative controller that works well but does not integrate well with an Apple ecosystem workflow.

Thomas Sibilly | 10 hours ago 0

Black Friday blowout deals drive M3 MacBook Pro prices down to $1,199+

Save up to $600 instantly during the 2024 Black Friday price war as retailers, including Best Buy, clear out remaining M3 MacBook Pro inventory for the holidays.

Christine McKee | 15 hours ago 0

Apple Black Friday Deal: 14-inch MacBook Pro M4 (24GB RAM, 1TB) dips to $1,799

Apple Black Friday deals are heating up on the brand-new M4 14-inch MacBook Pro, with the upgraded 1TB model with 24GB RAM dropping to $1,799.

Christine McKee | 15 hours ago 0

MacStadium adds M4 Mac mini to its cloud-based virtual machines

MacStadium now offers multiple configurations of Apple's latest Mac mini, with the M4 and M4 Pro chip. Here's what that means and why it matters.

Marko Zivkovic | 16 hours ago 6

Boox Go 10.3 review: An e-ink iPad alternative, designed for productivity

The Boox Go 10.3 is a great e-ink tablet for those who embrace digital minimalism or want to try e-ink for more than a reader.

Thomas Sibilly | 19 hours ago 2

Scammers posing as Apple Security steal thousands from Wichita senior

A GoFundMe account is accepting donations to help a Wichita, Kansas woman who fell for a common online scam that began with a text message to her iPhone.

Apple tops list of retailers for removal of hazardous chemicals from stores

Apple's environmental credentials have been praised, as it has scored the highest among retailers in the U.S. and Canada for removing hazardous chemicals and plastics.

How to set up a VPN on your router for whole-home protection

You can protect more than just one Mac or iPhone with a VPN. Here's how to protect all of your Internet-connected devices at once by setting up a VPN on your router.

Latest Videos

Apple Watch Ultra 2 one-year review: Even better than at launch

Testing out Mac ultra wide display mirror on Apple Vision Pro

Hands on with Belkin's Vision Pro strap that Apple didn't want to make

Latest Reviews

Rokid Max 2 AR Glasses review: Hardwire shines, software needs polish

Mac mini M4 Pro review: Mac Studio power, miniaturized

16-inch MacBook Pro M4 Max review: The pinnacle of the portable Mac

Load More

{{ title }}

{{ summary }}

{{{ rumorScoreMarkup }}} {{ author }} | {{ dateFormatted }} {{{ reviewStars.html }}} {{ commentCount }}