New Vulnerability Leaves Most Apple Machines Vulnerable to Permanent Backdoor Badness

Mere months after the very first backdoor access vulnerability for Macs was discovered and reported—specifically, Thunderstrike—another one has just been discovered with the same kind of backdoor-enabling capability as its predecessor. The difference between this one and the old one? This vulnerability doesn’t need the brief physical access that Thunderstrike required in order to do its dirty work. In fact, attackers may be able to exploit it from half the world away.

Discovered by OS X security researcher Pedro Vilaca, this latest vulnerability potentially allows attackers to install malware into a Mac’s BIOS.  This is done through a functionality contained in userland, the part of the operating system where installed applications and drivers are executed. When malware gets into the BIOS, the malware is loaded first BEFORE the OS every time the system is turned on, making it very difficult, if not impossible, to remove.

How does the bug work? It works by attacking the BIOS protections immediately after a Mac restarts from sleep mode.  Normally, the BIOS region can only be interacted with in a read-only way by userland applications, due to the BIOS protection known as FLOCKDN. However, for some reason, FLOCKDN is deactivated once a Mac restarts from sleep mode, and it’s in this period that the BIOS and its firmware become open to apps that can rewrite them at will (and therefore write malware into the BIOS). This process is known as reflashing, and there are freely-available apps that do exactly this, such as Flashrom. And as Vilaca reports, physical access to the target Mac isn’t even needed to pull this off. In fact, he says (in his blog entry that details the vulnerability) that a drive-by exploit planted on a hacked or malicious website could be used to trigger the BIOS attacks.

Of course, it’s not all bad news—or at least, it's not that easy to pull off an infection. To work, the enterprising attacker would need a vulnerability that provides the attacker with complete “root” access to OS X resources, and they are quite rare in the wild. The attacker would also need to find a way for the system to go into sleep mode in order to trigger the payload, but Vilaca says that’s the easier part of the equation, as the hypothetical exploit could be coded to either activate only when it detects the system going into sleep mode, or force it instead.

Now that we know about this vulnerability, which systems are vulnerable? Vilaca reported that Apple machines released prior to the middle of 2014 would be affected by this bug. He also went on to say that he’d managed to pull off the attack against a MacBook Pro Retina, a MacBook Pro 8.2 and a MacBook Air, all of which ran the latest available EFI firmware from Apple. Machines shipped out since mid to late 2014 are, according to Vilaca, immune, although he doesn’t have an explanation why. He guessed that either Apple fixed the vulnerability silently or managed to do so accidentally.

Are there any countermeasures to this vulnerability? Yes and no. There’s not much else users can do to stop exploits that take advantage of this bug, but the settings can be tweaked to prevent the machine from going to sleep when it’s idle. Advanced users can also download software made available by Trammell Hudson, the author of Thunderstrike, to dump the contents of their BIOS chip. They can then compare the dumped contents against the original firmware files provided by Apple, to see if they’ve been compromised by the bug or not (since the modified BIOS files would be different from the original).

With more vulnerabilities like these popping up for Apple, it’s only a matter of time before cybercriminals begin leveraging them for their own malicious ends—which makes the case stronger for Mac users to secure their devices pronto. Like we’ve been shouting from the mountaintops since day one, security through obscurity just won’t cut it anymore, especially in this threat landscape.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.