Slashdot Mirror

← Back to Stories (view on slashdot.org)

Macs Vulnerable To Userland Injected EFI Rootkits

Posted by timothy on from the but-it's-a-mac-it's-safe dept.

Bismillah writes that a new vulnerability in recent Macs — and potentially older ones — can be used to plant code such as rootkits into areas of EFI memory that shouldn't be writeable, but become unlocked after the computer wakes up from sleep mode. The article explains that [The vulnerability] appears to be due to a bug in Apple's sleep-mode energy conservation implementation that can leave areas of memory in the extensible firmware interface (EFI) (which provides low-level hardware control and access) writeable from user accounts on the computer. Memory areas are normally locked as read-only to protect them. However, putting some late-model Macs to sleep for around 20 seconds and then waking them up unlocks the EFI memory for writing.

6 of 82 comments (clear)

  1. Still needs another vulnerability by cerberusss · · Score: 5, Insightful

    FTFA:

    The researcher who discovered the flaw, Pedro Vilaça, said the vulnerability can be used to (some examples) that is invisible to the operating system in the writeable flash memory

    So to summarize: as a user, you can sometimes write to EFI memory.

    That's currently all there is to it. There's no rootkit, there's no malware, etc. Just this space where you can hide and survive an OS wipe and reinstall.

    I'm sure some will come up with a payload that uses this space to hide itself, no doubt about it. But currently, this is all there is to it.

    --
    8 of 13 people found this answer helpful. Did you?
    1. Re:Still needs another vulnerability by benjymouse · · Score: 4, Insightful

      So to summarize: as a user, you can sometimes write to EFI memory.

      That's currently all there is to it. There's no rootkit, there's no malware, etc. Just this space where you can hide and survive an OS wipe and reinstall.

      Yes - it is a vulnerability for which there is no exploit published (yet).

      This vulnerability is serious, as it allows an attacker to permanently infect the Mac *firmware* and gain control each time the Mac is booted - even if you nuke and reinstall OS X.

      You may try to dismiss this as "still needs another vulnerability". Another vulnerability or even a social engineering attack, evil maid attack will all suffice. This one can be used to take permanent, undetected residence on successfully exploited macs.

      That's bad in my book

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
  2. recent = made before mid 2014 by fpoling · · Score: 5, Informative

    Vilaça believes Apple is aware of the issue - his testing shows the flaw is not found in the firmware of Macs made after mid 2014.

  3. Re:Time for the BIOS to be EEPROM again? by jones_supa · · Score: 4, Interesting

    It's interesting that a lot of effort has been put into things like SecureBoot, but there is still a plethora of devices in a PC which are ready to accept new (potentially malicious) firmware at any given point in time.

  4. Re:Will anyone exploit it? by fuzzyfuzzyfungus · · Score: 4, Insightful

    If I'm just harvesting nodes for my botnet, macs are pretty lousy targets, no more capable than PCs and substantially more obscure.

    If I'm attacking systems for the data on them, or to MiTM/trojan/keylog the users of the systems; grab banking credentials and the like; mac users are a conveniently self-selected group of people atypically worth harvesting. Sure, there are a bunch of underemployed baristas with degrees in Individuality using the macbook pro that mommy and daddy bought them to watch movies in their dorm room; but as a whole, thanks to the higher prices, users of OSX devices skew upmarket pretty substantially(iOS devices have some of the same effect; but much less, since at least an iPhone 5c or the like is probably available as the 'free'-with-usurious-contract model on most telcos).

    If you are attempting a corporate/institutional intrusion, macs vary in value: they are way, way, less common, frequently absent entirely; but where they are present, their minority status often means very limited integration into the enterprise's legion of 'security' products, IDSes, and everything else that the Windows users complain is causing logins to take 30 minutes. This makes them handy 'beachhead' systems, especially if they are loaded up with Office, Adobe Malware Runtime, and similar stuff that may well have cross-platform or partially shared libraries of vulnerabilities; but much reduced vigilance on OSX clients.

  5. Re:Will anyone exploit it? by jo_ham · · Score: 4, Insightful

    Targeting OS X is tempting because of 99% of all Mac users *knows* that "Macs can't get infected" (the Apple salespeople told them so), and therefore they don't have any kind of antivirus installed.

    At work, I daily deal with Mac-users who gets their mailaccounts hijacked because of infections. It takes roughly 10-20 minutes to convince them to download and run Avast or something like that, but it's worth the "oh....".

    Out if interest, what "infections"? Do you have any examples. That's clearly a big issue if you're dealing with it daily. What infections are we talking about here?

    Not that I'm doubting your story or anything.

    (NECESSARY DISCLAIMER: I AM NOT CLAIMING THAT OS X CANNOT GET INFECTIONS)