A security researcher has found what he says is a deep flaw that potentially affects all Macintosh Intel models made until mid-2014, when the error he discovered appears to have been fixed. The exploit would allow, in a very particular set of combined conditions, to rewrite the boot-up firmware in a Mac to include persistent, malicious software.
Pedro Vilaca revealed the information without what is considered responsible disclosure in the security industry, in which an affected company or project is notified sufficiently far ahead of the release of information to allow them the potential to fix the problem. Apple isn’t always terrific about this, but looking at the list of credited, fixed security issues in its regular updates indicates it does accept and act on reports.
In an update, he posted a feeble excuse about why he didn’t tell Apple first. And I agree with his criticism about Apple not offering security patches for older Macs, some of which can’t run newer versions of OS X. Apple relies on how quickly Mac users upgrade OS X when it’s an option, the lifespan of older computers, and the increasingly small target of outdated Macs being worthwhile to attack.
However, some preliminary contact would have been nice to prevent tens of millions of Mac users from becoming targets before the full scope is understood and how easy it will be to exploit practically. There appears to be a bullseye, and if we’re lucky, it’s awfully hard to hit.
Give it the boot
No matter what sort of computer or mobile device you have, when it’s first fired up from a complete “off” state, not just standby, a boot process has to go through its paces. A relatively simple piece of software stored mostly or entirely in nonvolatile memory—flash or EEPROM or other storage that isn’t erased when power is removed—is executed, and that bootloader initializes hardware, may be able to interact with a keyboard or mouse, and finds the device with the operating system on it and prepares to load it and hand off control.
Macs are no different. Since the Intel transition almost a decade ago, Macs have used EFI (Extensible Firmware Interface), which is a more sophisticated successors to the long-running BIOS that booted IBM-compatible PCs, as they were once known. (Intel developed EFI, and contributed to the industry standard Unified EFI, or UEFI, which now boots nearly all new PCs.)
Apple uses a cryptographic signature to prevent firmware from being updated that the company didn’t provide. Last December, Trammell Hudson unveiled a Thunderbolt-related exploit he called Thunderstrike. (He’d been providing details to Apple for some time.) His exploit required physical access to a Thunderbolt port and relied on Thunderbolt firmware being loaded while an EFI update was underway. Apple fixed this in OS X 10.10.2.
Vilaca says his exploit results from Apple failing to lock down the EFI firmware after a Mac wakes from sleep. He was able to test enough systems to believe it affects only Macs from before mid-2014, although I expect we’ll get more information in the near future from other researchers and people who like to poke at this sort of problem.
The EFI could be rewritten to include every kind of snooping and zombie software, snatching all keystrokes and data or turning a computer into an unwitting slave in a distributed denial of service (DDoS) attack. Because the malware is in the EFI, reinstalling OS X or replacing the hard drive does no good. Thunderstrike showed how the system could be modified to prevent an Apple-provided EFI update from being installed as well.
Remote attacks seem unlikely
Vilaca noted that a remote exploit should be possible, though downplayed it, and I agree there. There’s a whole cascade of what would need to happen to first make it useful for an exploit to be created and then install it on unsuspecting Macs.
Any criminal enterprise interested in this exploit has to factor in two elements: how quickly will Apple patch it (if it’s ever patched) and how many potential target computers are there that could be exploited? There are conceivably tens of millions of older Macs, so that number is high. But if Apple releases a patch that works with Mavericks and Yosemite, that covers at least 80 percent of active Macs, and potentially more than 90 percent. That makes the yield likely too low to be worthwhile.
To take advantage of this exploit remotely, an attacker would have to either use an unpatched browser weakness or convince a user to install software with an administrative password. Judging by reports around free software that’s repackaged with adware and malware and hosted at popular download sites, users routinely give away the keys to the kingdom. But on what scale? Probably also not enough to be worthwhile for this kind of flaw.
Earlier this year, Kaspersky Labs claimed it found malware in hard-disk firmware—the boot and operation software used on hard drives to operate and interact with a computer system. They attributed this to a government actor, widely regarded as the NSA. It’s not improbable that this Apple EFI weakness, if it’s as described by Vilaca, could be or has been used to target individuals. But the risk on a broad scale seems highly unlikely.