Enlarge / The 2014 Mac mini is pictured here alongside the 2012 Mac mini. They looked the same, but the insides were different in some key—and disappointing—ways. (credit: Andrew Cunningham )

A recently released tool is letting anyone exploit an unusual Mac vulnerability to bypass Apple's trusted T2 security chip and gain deep system access. The flaw is one researchers have also been using for more than a year to jailbreak older models of iPhones . But the fact that the T2 chip is vulnerable in the same way creates a new host of potential threats. Worst of all, while Apple may be able to slow down potential hackers, the flaw is ultimately unfixable in every Mac that has a T2 inside.

In general, the jailbreak community hasn't paid as much attention to macOS and OS X as it has iOS, because they don't have the same restrictions and walled gardens that are built into Apple's mobile ecosystem. But the T2 chip, launched in 2017 , created some limitations and mysteries. Apple added the chip as a trusted mechanism for securing high-value features like encrypted data storage, Touch ID, and Activation Lock, which works with Apple's "Find My" services. But the T2 also contains a vulnerability, known as Checkm8, that jailbreakers have already been exploiting in Apple's A5 through A11 (2011 to 2017) mobile chipsets. Now Checkra1n, the same group that developed the tool for iOS, has released support for T2 bypass.

On Macs, the jailbreak allows researchers to probe the T2 chip and explore its security features. It can even be used to run Linux on the T2 or play Doom on a MacBook Pro's Touch Bar. The jailbreak could also be weaponized by malicious hackers, though, to disable macOS security features like System Integrity Protection and Secure Boot and install malware. Combined with another T2 vulnerability that was publicly disclosed in July by the Chinese security research and jailbreaking group Pangu Team, the jailbreak could also potentially be used to obtain FileVault encryption keys and to decrypt user data. The vulnerability is unpatchable, because the flaw is in low-level, unchangeable code for hardware.

Read 13 remaining paragraphs | Comments

Apple’s iOS devices are part of a closed ecosystem that doesn’t allow much tinkering and keeps unvetted apps out.

This works well for the vast majority of people but for those who demand more, jailbreaking is always an option.

While Apple doesn’t like the fact that outsiders are circumventing their restrictions to open up access, it generally turns a blind eye to jailbreaks. The company patches leaks but since the DMCA offers a jailbreak exemption, taking legal action is not the obvious response.

Unc0ver vs. Chimera13

In this light, it’s interesting to see that several copies of the Chimera13 jailbreak were taken down by GitHub this week, through a DMCA notice . This request didn’t come from Apple, however, but from the Unc0ver team, which is behind another iOS jailbreak.

The Unc0ver team accuses third-party developers of pirating their jailbreak code. The DMCA notice points a finger at a specific target, developer Coolstar , who allegedly “stole” Unc0ver’s code to use it as part of the Swift-based Chimera13 jailbreak.

“He was able to obtain a leaked copy of our private unc0ver repository that was previously available at [private] for selected team members of the Unc0ver Team,” the DMCA notice explains.

“We have investigated this user and found that their first appearance on the r/Jailbreak Discord Server, where they later announced that they had obtained the source code, was approximately a day after the infringer had publicly indicated that he was able to obtain information about our work on Twitter,” the Unc0ver team adds.

GitHub Takes Down Chimera13 Repositories

The DMCA notice asks GitHub to remove the Chimera13 repository as well as dozens of forks. And indeed, the official repository and the forks are all unavailable now.

The takedown request is interesting for several reasons. First of all, a team behind an application that is exempted from copyright infringement claims under the DMCA is using the same law to go after another jailbreak app. In addition, the claim itself isn’t without controversy either.

Coolstar Sends a Counter-Notice

Chimera13 developer Coolstar, who’s a former computer science student at UC Santa Barbara, argues that the takedown notice is unwarranted. He sent a counter-notice to GitHub, asking the company to reinstate his repository.

“The code for Chimera13 is original code that I have written in Swift that relies primarily on the public techniques,” Coolstar writes, pointing out the various pieces of open source and publicly available code that’s included.

“The only 3rd-party code in this repository is Jake James’ time_waste exploit. However, this is under an open source license (GPL),” he adds, highlighting the license in question.

According to Coolstar, the original notice was sent in bad faith. He further accuses the sender of committing perjury and abusing the DMCA process, a claim he repeats on Twitter .

Without making any judgments on the claims from both sides, it is clear that this is more than just a regular DMCA request. It appears to be part of an ongoing feud between two camps, which both develop jailbreak solutions.

In any case, it will be interesting to see how GitHub responds to the counter-notice. According to the regular DMCA process, the Chimera13 repository will be reinstated within two weeks, unless the Unc0ver team takes the matter to court.

From: TF , for the latest news on copyright battles, piracy and more.