New hack allows firmware to be rewritten and a permanent backdoor created in almost all Mac OS X run PCs
New Apple Mac OSX Zero-Day Bug allows hackers to Install RootKit Malware by reflashing BIOS
OS X security researcher has discovered a new way to to overwrite the firmware and take control of almost all Macs which are more than a year older.
The attack, which Vilaca has posted on his blog, affects Macs shipped prior to the middle of 2014 that are allowed to go into sleep mode.
Vilaca has written a script to reflash a Mac’s BIOS using functionality contained in userland. Userland is a boot up part of Mac OS where all applications and drivers are executed. Vilaca’s script works by exploiting vulnerabilities such as those regularly found in Safari and other Web browsers.
Ars Technica says that Vilaca’s exploit is is more serious than the Thunderstrike proof-of-concept exploit which was discovered December, 2014. Like the Thunderstrike vulnerability, Vilaca’s exploit also gives hackers same level of control of a Mac but unlike Thunderstrike which has to be physically installed on a Mac, this exploit can be remotely executed and hackers can remotely gain control of the targeted Mac.
“BIOS should not be updated from userland and they have certain protections that try to mitigate against this,” Vilaca wrote in an e-mail to Ars. “If BIOS are writable from userland then a rootkit can be installed into the BIOS. BIOS rootkits are more powerful than normal rootkits because they work at a lower level and can survive any machine reinstall and also BIOS updates.”
Vilaca’s exploit targets the Mac BIOS protection known as FLOCKDN. Normally, FLOCKDN allows userland apps read-only access to the BIOS region however Vilaca found that the FLOCDN protection is somehow deactivated after Mac wakes from a sleep mode.
This bug or gap in processing is used by the exploit to rewrite the BIOS through a process typically known as reflashing. Once the BIOS is reflashed, the potential hackers can modify Mac’s extensible firmware interface (EFI), the firmware responsible for starting a Mac’s system management mode and enabling other low-level functions before loading the OS.
“The flash is unlocked and now you can use flashrom to update its contents from userland, including EFI binaries. It means Thunderstrike like rootkit strictly from userland,” says Vilaca in the blogpost.
Vilaca says that a drive-by exploit planted on a hacked or malicious website could be used to trigger the BIOS attack.
“The bug can be used with a Safari or other remote vector to install an EFI rootkit without physical access,” Vilaca wrote. “The only requirement is that a suspended happened in the current session. I haven’t researched but you could probably force the suspend and trigger this, all remotely. That’s pretty epic ownage ;-).”
Vilaca says that a potential hacker could just add a code to send a targeted Mac and execute the exploit the next time the Mac awakes from sleep.
“An exploit could either verify if the computer already went previously into sleep mode and it’s exploitable, it could wait until the computer goes to sleep, or it can force the sleep itself and wait for user intervention to resume the session,” Vilaca told Ars. “I’m not sure most users would suspect anything fishy is going on if their computer just goes to sleep. That is the default setting anyway on OS X.”
Vilaca has confirmed his attack works against a MacBook Pro Retina, a MacBook Pro 8.2 and a MacBook Air, all of which ran the latest available EFI firmware from Apple. Macs released after mid 2014 are immune to this kind of attack. Vilaca is not sure of the reason but says that maybe Apple has silently patched the vulnerability or it has been fixed accidentally through some other update.
Apple has not yet commented on the vulnerability. The only way to mitigate this vulnerability is to remove the sleep settings of a Mac and keep it awake all the time.