IT professionals should double down on efforts to prevent nonauthorized use of corporate Macs to save workers from becoming victims of a recently discovered vulnerability in Apple's T2 security chip.
The unfixable flaw makes it possible for a hacker to run an exploit kit called Checkm8 from a USB device to gain root access to many Macs released since late 2017. Because the hacker would need possession of the computer to run the kit, the best defense is to make sure workers are vigilant in stopping others from using their machines, security experts said.
The vulnerability is at such a fundamental level that traditional security and device-management software can't defend against it, said Patrick Wardle, a principal security researcher at Jamf, a firm specializing in Apple device management. Those products work off the computer's operating system, so they can't detect or eliminate a vulnerability in hardware used to boot a computer.
"It's a well-understood mantra in security [that] if someone has physical access to your device, it's kind of game over," he said.
The T2 chip, first introduced in the iMac Pro, conducts security checks at boot to ensure the operating system isn't compromised. The flaw lets attackers use the exploit to install malicious code that the security chip would typically stop.
The good news is a Mac with an encrypted hard drive could thwart attackers. Those machines would require a password to access their content, cybersecurity consultant Niels Hofmans of IronPeak wrote in a blog post. Therefore, the hacker would have to learn a user's password by first using such means as a brute-force attack.
While encryption helps, IT professionals should continue to remind workers to never leave their computers unattended in public places, Hofmans said in an email. Failing to continually remind workers of such measures could lead to regrettable mistakes.
IT professionals should take the T2 vulnerability seriously while also placing it in context with more significant threats, such as phishing attacks, Wardle said. If workers keep their corporate Macs safe, then they can still benefit from some of the protections the chip offers.
However, one less effective protection is stopping root access to a Mac.
"Just a few years ago, Macs weren't shipping with the T2 chip, so they were open to the kinds of attacks we're talking about now," Wardle said.
The only way Apple can fix the T2 flaw is to replace it with a corrected chip in future Macs, security experts said. Apple has baked the vulnerability into the chip, so it can't fix the problem with a software update.
Apple did not respond to a request for comment.