Tuesday, December 23, 2014

Apple EFI Firmware Security Vulnerabilities

Trammell Hudson (via Lucian Constantin):

In this presentation we demonstrate the installation of persistent firmware modifications into the EFI boot ROM of Apple's popular MacBooks. The bootkit can be easily installed by an evil-maid via the externally accessible Thunderbolt ports and can survive reinstallation of OSX as well as hard drive replacements. Once installed, it can prevent software attempts to remove it and could spread virally across air-gaps by infecting additional Thunderbolt devices.

Update (2015-01-12): Dan Goodin:

Once installed, the bootkit—that is, malware that replaces the firmware that is normally used to boot Macs—can control the system from the very first instruction. That allows the malware to bypass firmware passwords, passwords users enter to decrypt hard drives and to preinstall backdoors in the operating system before it starts running. Because it’s independent of the operating system and hard drive, it will survive both reformatting and OS reinstallation. And since it replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected boot systems. The proof-of-concept is the first of its kind on the OS X platform. While there are no known instances of bootkits for OS X in the wild, there is currently no way to detect them, either.

Rich Mogull:

Dubbed Thunderstrike, the Thunderbolt-based attack is limited to situations where an attacker has physical access to a Mac and enough time to run it through a reboot and firmware installation cycle. Apple has partially addressed the vulnerability in recently released hardware (the iMac with Retina 5K display and the new Mac mini) and will be rolling out fixes to older hardware in the future.

Two aspects of the Thunderstrike proof-of-concept make it particularly serious. The first and most obvious is that most Macs remain vulnerable, and no antivirus software can help since Thunderstrike completely circumvents the operating system. Second, were Thunderstrike to be used to install malicious code, it would be hidden in a part of the system inaccessible to the user (the boot ROM, which is really a rewritable EEPROM chip) and would persist even if the boot drive were swapped out.

1 Comment RSS · Twitter

[…] Mac OS X 10.10.2 update fixes the Thunderstrike exploit, among other security bugs. (Good luck if you have a Thunderbolt-equipped Mac but […]

Leave a Comment