Security researchers demonstrate ‘PlugNPwn’ attack on T2-equipped Mac

It wasn’t long after the checkm8 bootrom exploit gave rise to the checkra1n jailbreak tool that clever hackers learned how they could use the same exploit (along with other hacks) to tamper with the proprietary T2 chip embedded in a bevy of modern Macs. In fact, the checkra1n jailbreak tool’s most recent update even added support for the T2 chip in Macs for interested tinkerers.

Despite how incredible the aforementioned circumstances sounded to jailbreak enthusiasts at first glance, those on the other side of the fence quickly began wondering about the implications this might have for the security of Apple’s most popular computers. Now, we may finally have some idea thanks to information published by the t8012 Development Team.

In a blog post, the team discusses a possible real-world scenario in which the exploit could be deployed on an unsuspecting Mac for malicious intent.

From what we can gather, it would be possible for a hacker to create a specialized device (no larger than a Mac’s factory power adapter) to kick a connected computer’s T2 chip into DFU mode when plugged in and prepare it for hackery.

In a couple of demonstration videos, the team not only boots the T2 chip into DFU mode with a method dubbed ‘PlugNPwn,’ but also replaces the T2 chip’s onboard EFI software with third-party software, as demonstrated by the custom boot logo following the attack.

Subscribe to iDB on YouTube

The latter tidbit is especially alarming in terms of security as the T2 chip is understood to communicate directly with the keyboard on supported Macs and then pass inputted information directly to macOS. In essence, this means that impacted T2-equipped Macs could be especially vulnerable to key-logging software if plugged into a malicious device.

As the researchers note in their piece, Apple could have prevented this type of attack by requiring some form of physical attestation from the user, such as pressing or holding the power button while plugging their device into the source of the attack. Instead, the team says that simple USB-PD payloads allow this to happen automatically when plugged into a source of attack.

For what it’s worth, checkm8 is a hardware-based exploit that necessitates physical access to an affected device, and this means that users of affected Macs can easily mitigate their risks of being targeted by such an attack by being aware of what they plug their machines into. In layman’s terms: it’s best to use the factory power adapter or a trusted alternative brand; obviously, users should avoid plugging their Mac(s) into rogue USB-C ports in the wild, as you never know what might be on the other side of the plug.

To learn more about how the attack works, don’t forget to check out the team’s official blog posting. You can also follow the team on Twitter for live updates.

Are you concerned about the possible ramifications of the exploitation presented in this demonstration? Share your thoughts in the comments section down below.