Flaw in MacBook EFI allows boot ROM malware

[UPDATED] An attacker can introduce persistent boot ROM malware using an "evil maid" attack through the MacBook Thunderbolt ports.

Next week at the 31st Chaos Communication Congress (31C3) in Hamburg, programmer/hacker Trammell Hudson will present research on ways to infect Apple EFI (Extensible Firmware Interface) firmware using the externally accessible Thunderbolt ports.

Update on December 23: In an email, Hudson says that his proof of concept attack requires a reboot of the MacBook, but there are attacks, such as SLOTSCREAMER, which could be used to attack a running system. Hudson also says that he has "... been in contact with Apple's security team for nearly two years regarding the Option ROM and Thunderbolt issues."

Read this

Will your Mac run OS X 10.10 Yosemite?

Here's a list of the oldest Apple hardware capable of running the new OS X 10.10 Yosemite operating system. If you have this hardware (or better) then you're good to go.

Read More

The attack is an "evil maid," replacing the boot code on the computer. EFI ROMs are supposed to be cryptographically signed, but Hudson says that the Thunderbolt Option ROMs may be used to circumvent the signature checks in Apple's EFI firmware update routines. Neither the MacBook hardware nor software perform cryptographic checks of the ROMs at boot time.

In this scenario, the attack code controls the MacBook from the very first instruction. It is in a position to hide itself from detection by other software using SMM and other techniques and it may well be impossible to remove such code without an in-system hardware device to do it. The code survives reinstalling OS X or even replacing the hard drive.

Hudson has created a proof of concept bootkit which also replaces Apple's cryptographic keys in the ROM and prevents any attempt to replace them that isn't signed with the attacker's private key.

On top of all this, the malicious firmware is able to write to attached Thunderbolt Option ROMs at boot time, meaning that it can spread itself without a network connection.

We have asked Apple for comment and will update the story if we receive one.

thunderstrike.jpg
Image courtesy Trammell Hudson

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All