A serious vulnerability in Macs more than a year old would allow an attacker to take permanent control of the machine, retaining control even if the user reinstals OS X or reformats the drive.

The vulnerability was discovered by security researcher Pedro Vilaca, who found a way to reflash the BIOS – code stored in flash memory, not on the drive. This means that the machine remains compromised even if the hard drive is physically replaced … 

Vilaca built his attack method on a known vulnerability that required physical access to the machine, allowing firmware to be rewritten by connecting a Thunderbolt device. It had previously been suggested that the NSA used this method to monitor surveillance targets, intercepting shipments of Macs to their addresses and installing the firmware modification.

This new approach means that no physical access is needed. The attack code could be installed via any one of a number of existing security vulnerabilities found in Safari and other web browsers.

The BIOS is normally set to read-only, preventing it from being modified or replaced, but Vilaca found that this protection is – for reasons unknown – removed when pre-mid-2014 Macs wake from sleep.

It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access.

The researcher says that Apple apparently fixed the hole in mid-2014 models, but has not released firmware updates for older machines. The only reassuring note is that while a mass-exploit would be possible, Vilaca considers it most likely to be used in targeted attacks against individuals.

The only protection against the vulnerability is to never allow your Mac to sleep.

Via ArsTechnica. Image: Trammell Hudson.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear