A serious vulnerability in Macs more than a year old would allow an attacker to take permanent control of the machine, retaining control even if the user reinstals OS X or reformats the drive.
The vulnerability was discovered by security researcher Pedro Vilaca, who found a way to reflash the BIOS – code stored in flash memory, not on the drive. This means that the machine remains compromised even if the hard drive is physically replaced …
Vilaca built his attack method on a known vulnerability that required physical access to the machine, allowing firmware to be rewritten by connecting a Thunderbolt device. It had previously been suggested that the NSA used this method to monitor surveillance targets, intercepting shipments of Macs to their addresses and installing the firmware modification.
This new approach means that no physical access is needed. The attack code could be installed via any one of a number of existing security vulnerabilities found in Safari and other web browsers.
The BIOS is normally set to read-only, preventing it from being modified or replaced, but Vilaca found that this protection is – for reasons unknown – removed when pre-mid-2014 Macs wake from sleep.
It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access.
The researcher says that Apple apparently fixed the hole in mid-2014 models, but has not released firmware updates for older machines. The only reassuring note is that while a mass-exploit would be possible, Vilaca considers it most likely to be used in targeted attacks against individuals.
The only protection against the vulnerability is to never allow your Mac to sleep.
Via ArsTechnica. Image: Trammell Hudson.
FTC: We use income earning auto affiliate links. More.
要注意!
“for unknown reasons” the BIOS only becomes writeable during the Sleep mode. How is that even possible? You know, sometimes you really think that big comes like Apple work together with NSA to built in those back doors. Like, come on.
Power Nap: https://support.apple.com/kb/PH18589?locale=en_US
I can’t help but think the same exact thing…what possible reasoning could there be for allowing the EFI to be writable when a Mac awakes from sleep? I don’t want to be a conspiracy theorist here but I just can not think of any valid reason why this would ever be allowed unless it was done on purpose…Can anyone think of why they would have done this? I can’t see this as a “bug” — EFI which is read only 99.99999% of the time doesn’t just all of a sudden become writeable because of some code mixup…
They all do, it’s a little sin in their eyes to achieve their redeeming value $$$ – look at history, Mercedes IBM etc etc, sacrifice life in order to make some cashola.
Un virus qui s’attaque au firmware à prendre au sérieux!
Two things:
1. This is not a remote issue, it “only” enables you to perform those tasks with root (not too hard) instead of from inside the kernel (harder).
2. It seems new that MacBooks have been shipping for a couple of years without those bugs, so big question marks everywhere
1. Existing browser vulnerabilities would allow it to be installed remotely.
2. Yes indeed …
Totally, but this is a different problem, you can’t tag a Privilege Escalation as Remote Code Execution, because some other bugs could serve as an entry point.
I agree it makes for a nice punchline but is technically inaccurate: whatever this bug exist or not doesn’t change anything for a remote attacker (which is what the title of the article imply).
Not to downplay the seriousness of this claim, but I have to agree that this isn’t a remote attack. Like all security compromises, any renegade code can facilitate illicit remote access if it is invoked.
There are other “hard to detect/correct” places to hide malware – like hard drive firmware, camera firmware, and anywhere else there is a bit of on-board persistent storage.
It seems reasonable that code could be written to validate the contents of the BIOS, but of course there are always details to worry about. I’m glad its not my job.
This is true — but let’s not forget about rootpipe, which Apple was notified about in October, and has yet to provide any fix for…so there’s your escalation; it’s present in just about _every_single_mac_ that people are running today…so that IMHO justifies the headline.
If you’re using 1. a kernel extension and 2. a rootkit, you are not doing shit from userland. This is a total non-issue.
For this to be a remote attack, the attacker or an infected host outside of the local network would need to be able to install a kernel extension on the machine. Where’s the documentation on that attack vector?
Via an installer it’s always been possible, and still is possible, to create a compromised BIOS/EFI, even without the wake from sleep vulnerability.
This is the whole point of the bug: not requiring a kernel extension…
All you need is to run some code as root, which is not hard.
Any time you allow code to run as root, you are by definition giving the code full privileges to inspect and modify any and all aspects of your machine.
What about rootpipe?
BIOS is not the correct term here. Macs have EFI.
Apple tech media continues to cry wolf with every one of these discoveries. The title of this article would scare the socks off Attila the Hun. Might, could, should, under certain conditions? Really? Where are the reports of any of these happening in the wild?
Not that Apple shouldn’t provide a fix but can you toner down the rhetoric for once? Other Apple centric sites report the same issue but take pains to assure users that the chances of this happening in the wild are miniscule. Why report in such a way as to incite panic in users who tend to believe the boogeyman is hiding behind every rock?
I believe this needs to be given proper attention because:
1.) Apple FIXED this issue but only on 2014 Macs — they have not provided any fixes for older machines. In essence, they knew about it, and didn’t care to tell anyone. This is extremely dangerous; in this case they’re HELPING the bad guys!
2.) Semi related — Apple was notified about the rootpipe issue in OCTOBER of 2014. It’s June of 2015, and they still haven’t fixed it.
Apple needs to do something about these ridiculous security holes…these are just two — there are tons more holes and major bugs in OS X that are not getting dealt with for months, and in the case of this bug, YEARS. This is _unacceptable_
Baloney ,nonsense. Show me the reports of these exploits being used in the wild even a year later. There are NONE. Helping the bad guys? Bloviation. Dangerous? Ridiculous.
You sleep, you die!
http://en.wikipedia.org/wiki/File:Freddy_Krueger.JPG