A security researcher has demonstrated a hack that can rewrite a Mac’s firmware using a Thunderbolt device containing attack code. The proof of concept, demoed by Trammel Hudson at Chaos Computer Congress in Hamburg, infects the Apple Extensible Firmware Interface (EFI) in a way Hudson claims cannot be detected, nor removed by reinstalling OS X.
Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the harddrive has no effect. A hardware in-system-programming device is the only way to restore the stock firmware.
Apple already has an intended fix ready for the latest Mac mini and iMac with Retina Display models, and Hudson says the fix will also soon be available for other Macs. However, it appears this provides only partial protection.
“Once installed, the firmware cannot be removed since it replaces Apple’s public RSA key, which means that further firmware updates will be denied unless signed by the attacker’s private key. The hacked firmware can also replicate by copying itself to option ROMs in other Thunderbolt devices connected to the compromised Mac during a restart. Those devices remain functional, making it impossible to know that they have been modified.”
The hack is likely nothing for the average Mac user to worry about, as it requires physical access to your Mac, and Hudson says he is not aware of any Mac firmware bootkits in the wild. However, he does note that there is no way to be completely sure about that.
Hudson presentation slides are available on Flickr. He says he has been in contact with Apple about EFI vulnerabilities. He also says his slides, while providing enough “pseudo-code” to allow others to verify his claims, won’t make it easy for others to exploit.
The presentation comes in the wake of another showing how a fingerprint sensor, such as Apple’s Touch ID, might be fooled using photographs of a user’s finger.