Hacker: Mac Firmware Security Is Broken

Hacking News

Apple hacker Pedro Vilaça has uncovered a zero-day vulnerability in mac computers that allows hackers with privileged access to install EFI (Extensible Firmware Interface) Rootkits. 


The attack takes advantage of unlocked flash protections when machines go into sleep mode, according to Vilaça.

"Apple’s S3 suspend-resume implementation is so f*cked up that they will leave the flash protections unlocked after a suspend-resume cycle. It means that you can overwrite the contents of your BIOS from userland a rootkit EFI without any other tricks other than a suspend-resume cycle, a kernel extension, flash rom, and root access, "Vilaça says in a blog post.

"The bug can be used with a Safari or other remote vector to install an EFI rootkit without physical access [provided] a suspended happens in the current session … you could probably force the suspend and trigger this, all remotely. That’s pretty epic ownage."

When the mac machines enter a sleep state, the flash locks will be removed, allowing the hackers to update the flash rom with malicious EFI binaries.

AFFECTED MODELS

MacBook Pro Retina, MacBook Pro 8,2, MacBook Air, and all running latest EFI firmware available, are vulnerable.

But the latest MacBook models are not vulnerable.

"I expect all mid/late 2014 machines and newer to not be vulnerable. Apple either fixed it by accident or they know about it. It’s not something you just fix by accident, just sayin’. I’m pretty sure Apple is aware of the bug or at least it would be quite irresponsible from them to not test if their BIOS implementation was vulnerable to the Dark Jedi attack," he says.

HOW CAN YOU PROTECT YOURSELF?

Do not let your computer sleep and always shutdown it. Also wait for the apple update.

No comments

Powered by Blogger.