“A zero-day software vulnerability in the firmware of older Apple computers could be used to slip hard-to-remove malware onto a computer, according to a security researcher,” Jeremy Kirk reports for IDG News Service.
“Pedro Vilaca, who studies Mac security, wrote on his blog that the flaw he found builds on previous ones but this one could be far more dangerous. Apple officials could not be immediately reached for comment,” Kirk reports. “Vilaca found it was possible to tamper with an Apple computer’s UEFI (unified extensible firmware interface). UEFI is firmware designed to improve upon BIOS, which is low-level code that bridges a computer’s hardware and operating system at startup.”
“The UEFI code is typically sealed off from users. But Vilaca wrote that he found the code is unlocked after a computer goes to sleep and reawakens, allowing it to be modified. Apple computers made before mid-2014 appear to be vulnerable,” Kirk reports. “Vilaca wrote it is then possible to install a rootkit, a type of malware that is hard to remove and nearly undetectable by security products. The only defense is to not let the computer sleep and always shut it down, Vilaca wrote.”
Read more in the full article here.
MacDailyNews Take: Patch away, Apple!
SEE ALSO:
Apple preparing to release ‘Thunderstrike’ patch for OS X – January 26, 2015
Apple secures Macs against ‘Thunderstrike’ attacks in OS X 10.10.2 – January 24, 2015
New proof-of-concept ‘Thunderstrike’ bootkit for OS X can permanently backdoor Macs – January 9, 2015
Macs vulnerable to virtually undetectable malware that ‘can’t be removed’, but physical access is required – January 12, 2015
So is this just a theoretical exploit, and actual threat or a way to stop folks from modding or upgrading their computers?
It’s nontrivial to access the UEFI; it usually requires root or physical access. The standard caveats apply: never enter an admin password without knowing exactly what the request is, and physical access always trumps security (unless using FileVault and even then the big boys have ways…).
Sounds to me like he’s saying he wrote a program (or single process) that would access the UEFI when the event of a computer waking from sleep occurs. So the exploit could be a trojan inadvertantly run by the user before the computer goes to sleep. There is no mention of needing any special level of access so it may actually be quite serious.
There is a proof-of-concept exploit available.
Thankfully there is also a test to see if you’ve been hacked.
Most likely, this is going to be further studied this week with more news forthcoming.
Where can I find info on this test? I want to run it.
MDN posted another article “How to protect your Mac from the ‘Dark Jedi’ firmware hack” where I offered some more details. One the articles I liked there is by Dan Goodin on the subject. He provided a couple links for testing. I’ll quote him here then offer the links below.
At the moment, Vilaca said, there isn’t much users of vulnerable machines can do to prevent exploits other than to change default OS X settings that put machines to sleep when not in use. More advanced users can download software made available by Trammell Hudson, creator of the Thunderstrike exploit. Available here and here, Hudson’s software dumps the contents of a Mac’s BIOS chip so users can compare the results against firmware files provided by Apple. This safeguard doesn’t prevent users from having their Mac firmware rewritten, but it will alert them if such an attack has occurred.
“here and here” are:
https://trmm.net/SPI_flash
and
https://github.com/osresearch/rwmem
Pedro Vilaca’s blog post where he describes the exploit describes how to install and use the test software. It’s a hack, so be ready to do some minor hacking to install it and use it.
“Vilaca thinks it may be possible to remotely exploit the bug he found, making it potentially a whole lot more dangerous.”
This one is going to be critical until Apple sorts it out. But the sort of good news is that it is likely to be used only for targeted attacks, not en masse.
Until Apple patches the hole: Never Let Your Macs Sleep Again!
Bwahahahaha! 😈😴😴😴
Being more serious, stopping your Macs from sleeping isn’t a perfect workaround. It’s possible for the infecting malware to put a Mac to sleep, despite a user’s settings. But for the moment, it’s something to try.
Hopefully, Apple will patch this problem in a hurry and we’ll never see it active in the wild.