Skip to main content

Nasty Mac vulnerability allows remote attack, survives OS X reinstallation & even drive format

bios

A serious vulnerability in Macs more than a year old would allow an attacker to take permanent control of the machine, retaining control even if the user reinstals OS X or reformats the drive.

The vulnerability was discovered by security researcher Pedro Vilaca, who found a way to reflash the BIOS – code stored in flash memory, not on the drive. This means that the machine remains compromised even if the hard drive is physically replaced … 

Vilaca built his attack method on a known vulnerability that required physical access to the machine, allowing firmware to be rewritten by connecting a Thunderbolt device. It had previously been suggested that the NSA used this method to monitor surveillance targets, intercepting shipments of Macs to their addresses and installing the firmware modification.

This new approach means that no physical access is needed. The attack code could be installed via any one of a number of existing security vulnerabilities found in Safari and other web browsers.

The BIOS is normally set to read-only, preventing it from being modified or replaced, but Vilaca found that this protection is – for reasons unknown – removed when pre-mid-2014 Macs wake from sleep.

It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access.

The researcher says that Apple apparently fixed the hole in mid-2014 models, but has not released firmware updates for older machines. The only reassuring note is that while a mass-exploit would be possible, Vilaca considers it most likely to be used in targeted attacks against individuals.

The only protection against the vulnerability is to never allow your Mac to sleep.

Via ArsTechnica. Image: Trammell Hudson.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. hiroshisz - 9 years ago

    要注意!

  2. Iven Tenz (@ivenalot) - 9 years ago

    “for unknown reasons” the BIOS only becomes writeable during the Sleep mode. How is that even possible? You know, sometimes you really think that big comes like Apple work together with NSA to built in those back doors. Like, come on.

    • srgmac - 9 years ago

      I can’t help but think the same exact thing…what possible reasoning could there be for allowing the EFI to be writable when a Mac awakes from sleep? I don’t want to be a conspiracy theorist here but I just can not think of any valid reason why this would ever be allowed unless it was done on purpose…Can anyone think of why they would have done this? I can’t see this as a “bug” — EFI which is read only 99.99999% of the time doesn’t just all of a sudden become writeable because of some code mixup…

    • They all do, it’s a little sin in their eyes to achieve their redeeming value $$$ – look at history, Mercedes IBM etc etc, sacrifice life in order to make some cashola.

  3. Centre Itech - 9 years ago

    Un virus qui s’attaque au firmware à prendre au sérieux!

  4. TaikiSan - 9 years ago

    Two things:
    1. This is not a remote issue, it “only” enables you to perform those tasks with root (not too hard) instead of from inside the kernel (harder).
    2. It seems new that MacBooks have been shipping for a couple of years without those bugs, so big question marks everywhere

    • Ben Lovejoy - 9 years ago

      1. Existing browser vulnerabilities would allow it to be installed remotely.
      2. Yes indeed …

      • TaikiSan - 9 years ago

        Totally, but this is a different problem, you can’t tag a Privilege Escalation as Remote Code Execution, because some other bugs could serve as an entry point.
        I agree it makes for a nice punchline but is technically inaccurate: whatever this bug exist or not doesn’t change anything for a remote attacker (which is what the title of the article imply).

      • standardpull - 9 years ago

        Not to downplay the seriousness of this claim, but I have to agree that this isn’t a remote attack. Like all security compromises, any renegade code can facilitate illicit remote access if it is invoked.

        There are other “hard to detect/correct” places to hide malware – like hard drive firmware, camera firmware, and anywhere else there is a bit of on-board persistent storage.

        It seems reasonable that code could be written to validate the contents of the BIOS, but of course there are always details to worry about. I’m glad its not my job.

    • srgmac - 9 years ago

      This is true — but let’s not forget about rootpipe, which Apple was notified about in October, and has yet to provide any fix for…so there’s your escalation; it’s present in just about _every_single_mac_ that people are running today…so that IMHO justifies the headline.

  5. If you’re using 1. a kernel extension and 2. a rootkit, you are not doing shit from userland. This is a total non-issue.

    • For this to be a remote attack, the attacker or an infected host outside of the local network would need to be able to install a kernel extension on the machine. Where’s the documentation on that attack vector?

      Via an installer it’s always been possible, and still is possible, to create a compromised BIOS/EFI, even without the wake from sleep vulnerability.

    • TaikiSan - 9 years ago

      This is the whole point of the bug: not requiring a kernel extension…
      All you need is to run some code as root, which is not hard.

      • standardpull - 9 years ago

        Any time you allow code to run as root, you are by definition giving the code full privileges to inspect and modify any and all aspects of your machine.

    • srgmac - 9 years ago

      What about rootpipe?

  6. BIOS is not the correct term here. Macs have EFI.

  7. lkrupp215 - 9 years ago

    Apple tech media continues to cry wolf with every one of these discoveries. The title of this article would scare the socks off Attila the Hun. Might, could, should, under certain conditions? Really? Where are the reports of any of these happening in the wild?

    Not that Apple shouldn’t provide a fix but can you toner down the rhetoric for once? Other Apple centric sites report the same issue but take pains to assure users that the chances of this happening in the wild are miniscule. Why report in such a way as to incite panic in users who tend to believe the boogeyman is hiding behind every rock?

    • srgmac - 9 years ago

      I believe this needs to be given proper attention because:
      1.) Apple FIXED this issue but only on 2014 Macs — they have not provided any fixes for older machines. In essence, they knew about it, and didn’t care to tell anyone. This is extremely dangerous; in this case they’re HELPING the bad guys!
      2.) Semi related — Apple was notified about the rootpipe issue in OCTOBER of 2014. It’s June of 2015, and they still haven’t fixed it.
      Apple needs to do something about these ridiculous security holes…these are just two — there are tons more holes and major bugs in OS X that are not getting dealt with for months, and in the case of this bug, YEARS. This is _unacceptable_

      • lkrupp215 - 9 years ago

        Baloney ,nonsense. Show me the reports of these exploits being used in the wild even a year later. There are NONE. Helping the bad guys? Bloviation. Dangerous? Ridiculous.

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear