Flaw in MacBook EFI allows boot ROM malware

Next week at the 31st Chaos Communication Congress (31C3) in Hamburg, programmer/hacker Trammell Hudson will present research on ways to infect Apple EFI (Extensible Firmware Interface) firmware using the externally accessible Thunderbolt ports.

Update on December 23: In an email, Hudson says that his proof of concept attack requires a reboot of the MacBook, but there are attacks, such as SLOTSCREAMER, which could be used to attack a running system. Hudson also says that he has "... been in contact with Apple's security team for nearly two years regarding the Option ROM and Thunderbolt issues."

The attack is an "evil maid," replacing the boot code on the computer. EFI ROMs are supposed to be cryptographically signed, but Hudson says that the Thunderbolt Option ROMs may be used to circumvent the signature checks in Apple's EFI firmware update routines. Neither the MacBook hardware nor software perform cryptographic checks of the ROMs at boot time.

In this scenario, the attack code controls the MacBook from the very first instruction. It is in a position to hide itself from detection by other software using SMM and other techniques and it may well be impossible to remove such code without an in-system hardware device to do it. The code survives reinstalling OS X or even replacing the hard drive.

Hudson has created a proof of concept bootkit which also replaces Apple's cryptographic keys in the ROM and prevents any attempt to replace them that isn't signed with the attacker's private key.

On top of all this, the malicious firmware is able to write to attached Thunderbolt Option ROMs at boot time, meaning that it can spread itself without a network connection.

We have asked Apple for comment and will update the story if we receive one.