A serious security flaw has been found on Macs older than a year, that essentially allows an attacker take total control of a user’s MacBook. The flaw was discovered by a prominent OSX security researcher Pedro Vilaca, who apparently was able to reflash Macs BIOS code found in the flash memory, implying that a user’s machine remains vulnerable even if he reinstalls OSX or reformats the drive. Hence, a user’s MacBook still remains vulnerable even after he physically replaces the hard drive, as the code is stored in the flash memory, not the drive.
This new security flaw essentially pertains to MacBooks shipped before mid-2014, when they are allowed to go in ‘Sleep Mode’, as its BIOS protection (FLOCKDN) is deactivated. Once BIOS protection is deactivated, firmware becomes vulnerable to attackers as it allows them to alter the EFI (extensible firmware interface).
” Apple’s S3 suspend-resume implementation… will leave the flash protections unlocked after a suspend-resume cycle…It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access,” explains Vilaca in a blog post.
As already mentioned, MacBooks shipped before mid-2014 which allow the computer to go in sleep mode are vulnerable, however, newer Macs remain immune to this flaw. Vilaca confirms in his blog post his attack does not work on MacBook Pro Retina, a MacBook Pro 8.2 and a MacBook Air, all of which ran the latest available EFI firmware from Apple.
Meanwhile, 9to5 Mac reports that even NSA apparently deployed the same methodology to keep track of their surveillance targets, intercepting shipments with their addresses, eventually installing the firmware modification. This implies that no physical access is required, the malware or code can be installed through the present flaws found in Safari and other web browsers.
“The bug can be used with a Safari or other remote vector to install an EFI rootkit without physical access,” Vilaca wrote. “The only requirement is that a suspended happened [sic] in the current session. I haven’t researched, but you could probably force the suspend and trigger this, all remotely. That’s pretty epic ownage ;-).”
So what can be done?
Vilaca says there isn’t a lot that can be done to prevent this security flaw, though users can change their default settings in OS X, so that a user’s MacBook can be prevented from entering in sleep mode. Vilaca further says that Mac users shouldn’t worry much, as the attack is rather complicated and difficult to pull-off on a massive scale.
Vilaca also mentions that Apple has fixed this vulnerability in MacBooks shipped in mid-2014, but surprisingly did not release firmware updates for older machines.