How to protect your Mac from the ‘Dark Jedi’ firmware hack

“A new exploit dubbed ‘Dark Jedi’ exists for MacBook systems created before mid-2014, where a hacker can issue a malicious program to overtake the system’s firmware by simply having the system be put in sleep mode,” Topher Kessler reports for MacIssues.

“Upon waking from sleep, the firmware on these older Macs is unlocked, which leaves them open to access and modification from applications running in OS X,” Kessler reports. “This contrasts with the recent Thunderstrike firmware vulnerability that allowed hackers to overtake firmware, but required physical access to the system. Since this current vulnerability is run by way of malicious software, systems can be attacked remotely by uses of trojan horse and other social engineering approaches, but this also provides an avenue for protection.”

Kessler reports, “If your Mac is an older one and you are concerned about this vulnerability, keep in mind that for now this is a proof-of-concept attack that is not known to be in any active hacking attempts. In addition it has three key limitations: It requires root access; It requires you download it; It requires your system be put to sleep.”

Read more in the full article here.

MacDailyNews Take: It’s also nice, until Apple patches this thing, that Macs with SSDs boot so quickly. It’s almost like sleep anyway.

SEE ALSO:

Vulnerability in Macs made before mid-2014 could allow firmware modifications, researcher says – June 1, 2015
Apple preparing to release ‘Thunderstrike’ patch for OS X – January 26, 2015
Apple secures Macs against ‘Thunderstrike’ attacks in OS X 10.10.2 – January 24, 2015
New proof-of-concept ‘Thunderstrike’ bootkit for OS X can permanently backdoor Macs – January 9, 2015
Macs vulnerable to virtually undetectable malware that ‘can’t be removed’, but physical access is required – January 12, 2015

9 Comments

  1. In “Security & Privacy” click the General tab and under “Allow applications downloaded from…” choose “Mac app store and identified developers.”

    Problem solved.

    (This setting is actually the default but some people changed it to download something or other. It’s a good idea to go back into that setting and change it back to the more secure one now that you’ve already installed every “unauthorized” app you need.)

    1. This exploit is still being thrashed out in detail. But it is assumed at this point that a ‘drive by’ infection is possible, in which case Gatekeeper (Apple’s name for what Jooop describes above) won’t help.

      But keeping Gatekeeper ON does help. Just be sure you do NOT override it (via the usual tricks) and end up infecting yourself.

      Even more specifically: Beware ALL installer programs that require you to override Gatekeeper. That EVEN means for applications you trust. That installer may be infecting you with something MORE than what you expected. This is happening via evil, dastardly, nefarious mirror sites that are used for downloading software. One of those nasty websites turns out to be: SOURCEFORGE. At this point I’d go so far as to say: NEVER download software from Sourceforge. They are, literally, an adware (technically ‘malware’) distribution note. Quite deliberately too! And I’ve personally caught other mirror websites pulling the same dirty tricks. It’s all about $$$$$, with the inevitable destruction of the site’s reputation, IOW self-destruction.

      Summary: NEVER approve the installation of software onto your Mac without TRIPLE checking that you got it DIRECTLY from the developer and nowhere else, especially mirror sites.

  2. Signs of the accelerating technological age we live in that a well-built piece of durable equipment with a useful lifetime of 5-7 years (at least if minimally cared for, and at least for the software it’s rated to run) is an “older Mac” if it was built before mid-2014…

  3. Well, technically this isn’t exactly “Dark Jedi”. Pedro Vilaca, who discovered this ‘zero day’ attack has compared it to the “Dark Jedi” attack concept that was disclosed last December. But he specifically declined to actually name this attack. Meanwhile, calling it the ‘Mac Dark Jedi Attack’ (or hack) is just fine IMHO. Just point out that this is specific to Macs.

    Last December, 2014, a couple different, previously undisclosed, root level attacks were presented at the CCC (Chaos Computer Club) Congress of 2014. One of the attacks was directed at UEFI, which is essentially the ‘BIOS’ from Intel that Apple has been using since the start of Intel Macs back at the end of 2005. You can read about it and watch a video of the presentation here:

    Attacks on UEFI security, inspired by Darth Venamis’s misery and Speed Racer

    About

    On modern Intel based computers there exists two powerful and protected code regions: the UEFI firmware and System Management Mode (SMM). UEFI is the replacement for conventional BIOS and has the responsibility of initializing the platform. SMM is a powerful mode of execution on Intel CPUs that is even more privileged than a hypervisor. Because of their powerful positions, SMM and UEFI are protected by a variety of hardware mechanisms. In this talk, Rafal Wojtczuk and Corey Kallenberg team up to disclose several prevalent vulnerabilities that result in SMM runtime breakin as well as arbitrary reflash of the UEFI firmware.

    The attack that Pedro Vilaca discovered is within the general class of the “Dark Jedi” UEFI firmware rewrite attacks.

    NOTE: As Pedro Vilaca points out in his source blog post, preventing your Mac from sleeping may NOT NOT NOT be a temporary workaround. Potentially, if infected, the associated “Dark Jedi” malware could send a terminal message to OS X telling your Mac to go to sleep, despite our settings to the contrary. So do NOT count on this as a solution. Meanwhile, while we wait for Apple to catch up and solve this (which they damned well had better!), stopping Macs from sleeping may help in the short term.

    Overall, despite the total PWNage resulting from this attack, don’t worry about it as of yet. If you want to be extra special careful, you can follow the instructions at Pedro Vilaca’s blog post to download software to test if you’ve been attacked.

    In the meantime, Dan Goodin over at Ars Technica is keeping track of the situation. Here is his initial article on the subject:


    New exploit leaves most Macs vulnerable to permanent backdooring

    Hack allows firmware to be rewritten right after older Macs awake from sleep.

  4. On my “desktop” Mac, I use display sleep only. My overall system never sleeps, and stays running for weeks at a time. A system update is usually the only time I need to shutdown and restart.

  5. My thoughts: Trojans that can hurt Macs (like the one discussed here) can’t impact iOS. So if I encounter a questionable link, I open the link on my iPad. The trojan won’t work on iOS.

  6. Yep!! If it does get figured out and gets released to the wild, it will be a Linux Live CD on my 2009 iMac for daily surfing and browser based Comcast email for me for a bit. If this get s gong it will be riding the bull time for OS X. That will bring on more malware writers to the platform.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.