• Security Researcher to Demonstrate a Vulnerability in Apple's Mac EFI

    by
    Akshay Masand
    Published on 2014-12-23 06:26 PM
    2 Comments Comments


    Next week, a researcher is set to demonstrate a method in which a malicious actor could use a specifically-made Thunderbolt device to inject a bootkit, which could survive almost any attempt to remove it, into the EFI boot ROM of any Mac with a Thunderbolt port. The demonstration is set to take place at the Chaos Communication Congress by researcher Trammell Hudson who claims the attack takes advantage of an old flaw in the Thunderbolt Option ROM which was disclosed in 2012 but hasn’t been patched since. Along with showing the custom code, Hudson will show a method by which the bootkit could replicate itself to any attached Thunderbolt device, allowing the malicious actor to spread across even air-gapped networks.

    Since the code lives in a separate ROM on the logic board, the attack can’t be prevented by reinstalling OS X or even swapping out the hard drive. Hudson notes that he could replace Apple’s own cryptographic key with a new one which even prevents legitimate firmware updates from being accepted. He wrote the following regarding the matter:

    There are neither hardware nor software cryptographic checks at boot time of firmware validity, so once the malicious code has been flashed to the ROM, it controls the system from the very first instruction. It could use SMM and other techniques to hide from attempts to detect it.
    Vulnerabilities that are a low level such as this one are particularly troubling as they are hard to find and can do a significant amount of damage. A previous demonstration of EFI hacking laid out how full-disk encryption systems such as Apple’s FileVault could be bypassed with a bootkit.

    Although Hudson’s attack does require physical access, its ability to spread through other Thunderbolt devices makes it extra dangerous. Users tend to plug smaller shared devices into their computers without much thought and this would help spread the danger rather quickly.

    Hudson is set to present his findings on December 29th at 6:30pm local time in Hamburg, Germany.

    Source: Chaos Communication Congress via AppleInsider
    This article was originally published in forum thread: Security Researcher to Demonstrate a Vulnerability in Apple's Mac EFI started by Akshay Masand View original post
    1. Categories:
    2. Apple,
    3. OS X,
    4. Mac,
    5. Software
    Comments 2 Comments
    1. Ambi_Valence's Avatar
      Ambi_Valence - 2014-12-23, 06:56 PM
      Jesus wept! I hope that;
      A) If it is an exploit that is a real threat that Apple have not been too arrogant to ignore the warning, (as they usually are).
      B) That it gets no traction in the wild even if it is.
    1. CZroe's Avatar
      CZroe - 2014-12-27, 06:40 PM
      Quote Originally Posted by Ambi_Valence View Post
      Jesus wept! I hope that;
      A) If it is an exploit that is a real threat that Apple have not been too arrogant to ignore the warning, (as they usually are).
      B) That it gets no traction in the wild even if it is.
      It can't get much traction because too few even have a Thunderbolt device and even fewer carry them around, plugging them into multiple Thunderbolt-equipped Macs. I wanted to get a 5K iMac until I read that it doesn't work as a Thunderbolt display, so even I have lost any reason I had to want Thunderbolt.

      This statement is laughable:
      "...its ability to spread through other Thunderbolt devices makes it extra dangerous."
      It's like warning people that some new executable viruses that infect floppy disks is "extra dangerous" when no one is using floppies. Even today, I suspect that almost as many people are moving floppies around between PCs than moving Thunderbolt devices.

  • Connect With Us

  • Discord

    Join our Discord

  • Twitter Box

  • Facebook