A serious vulnerability in Macs more than a year old would allow an attacker to take permanent control of the machine, retaining control even if the user reinstals OS X or reformats the drive.
The vulnerability was discovered by security researcher Pedro Vilaca, who found a way to reflash the BIOS – code stored in flash memory, not on the drive. This means that the machine remains compromised even if the hard drive is physically replaced …
Vilaca built his attack method on a known vulnerability that required physical access to the machine, allowing firmware to be rewritten by connecting a Thunderbolt device. It had previously been suggested that the NSA used this method to monitor surveillance targets, intercepting shipments of Macs to their addresses and installing the firmware modification.
This new approach means that no physical access is needed. The attack code could be installed via any one of a number of existing security vulnerabilities found in Safari and other web browsers.
The BIOS is normally set to read-only, preventing it from being modified or replaced, but Vilaca found that this protection is – for reasons unknown – removed when pre-mid-2014 Macs wake from sleep.
It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access.
The researcher says that Apple apparently fixed the hole in mid-2014 models, but has not released firmware updates for older machines. The only reassuring note is that while a mass-exploit would be possible, Vilaca considers it most likely to be used in targeted attacks against individuals.
The only protection against the vulnerability is to never allow your Mac to sleep.