Flaw in MacBook EFI allows attackers to boot ROM with malware using Thunderbolt Ports
Trammell Hudson is set to present his research next week at the 31st Chaos Communication Congress (31C3) in Hamburg where he will demonstrate how to infect Apple EFI (Extensible Firmware Interface) firmware using the externally accessible Thunderbolt ports. The MacBook flaw is a loophole which was probably overlooked by Apple’s engineers and can allow potential attacker to take complete control of the device.
Evil Maid Attack
The attack is an “evil maid,” replacing the boot code on the computer. His research involves infect Apple EFI (Extensible Firmware Interface) firmware using the externally accessible Thunderbolt ports. EFI ROMs are supposed to be cryptographically signed, but Hudson says that the Thunderbolt Option ROMs may be used to circumvent the signature checks in Apple’s EFI firmware update routines. Neither the MacBook hardware nor software perform cryptographic checks of the ROMs at boot time allowing the machine to be illegally accessed. Hudson states on Events blog,
Our proof of concept bootkit also replaces Apple’s public RSA key in the ROM and prevents software attempts to replace it that are not signed by the attacker’s private key. Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the harddrive has no effect. A hardware in-system-programming device is the only way to restore the stock firmware.
In simpler words, an attacker can replace the ROM of the machine, with one of their own. Apple devices usually undergo check before such an operation can be performed, which include cryptographic signatures, but this check is not performed if the change is done via the Thurnderbolt port. Neither the OS, nor any hardware mechanism perform any sort of check. If the attacker manages to replace the ROM, the attacker now has the ability to control the machine right from boot up.
Hudson has created a proof of concept bootkit which also replaces Apple’s cryptographic keys in the ROM and prevents any attempt to replace them that isn’t signed with the attacker’s private key.
The ROM thus installed, is even capable enough of hiding itself from detection by other applications, leaving any security mechanism on the machine useless. The code also has the capability to survive a complete OS re-installation making it near impossible for any normal user to eradicate it. The code can only be removed with an in-system hardware device.
“Additionally, other Thunderbolt devices’ Option ROMs are writable from code that runs during the early boot and the bootkit could write copies of itself to new Thunderbolt devices,” he said. “The devices remain functional, which would allow a stealthy bootkit to spread across air-gap security perimeters through shared Thunderbolt devices.”
Apple has not commented on this story. We will update this article as and when they do.