Flaw In Macbook EFI Allows Boot ROM Malware

Mac boot malware

Cyber security expert Trammell Hudson have discovered ways to infect Apple EFI (Extensible Firmware Interface) firmware using the externally accessible Thunderbolt ports.

What Is EFI ?

The EFI System partition (ESP) is a partition on a data storage device that is used by computers adhering to the Unified Extensible Firmware Interface (UEFI). When a computer is powered up and booted, UEFI firmware loads files stored on the ESP to start installed operating systems and various utilities.

The bootkit can be easily installed by an evil-maid via the externally accessible Thunderbolt ports and can survive reinstallation of OSX as well as hard drive replacements. Once installed, it can prevent software attempts to remove it and could spread virally across air-gaps by infecting additional Thunderbolt devices.

It is possible to use a Thunderbolt Option ROM to circumvent the cryptographic signature checks in Apple's EFI firmware update routines. This allows an attacker with physical access to the machine to write untrusted code to the SPI flash ROM on the motherboard and creates a new class of firmware bootkits for the MacBook systems.

Hudson has created a proof of concept bootkit which also replaces Apple's cryptographic keys in the ROM and prevents any attempt to replace them that isn't signed with the attacker's private key.

Also the malicious firmware is able to write to attached Thunderbolt Option ROMs at boot time, meaning that it can spread itself without a network connection.

No comments

Powered by Blogger.