Results 1 to 3 of 3

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: Security Researcher to Demonstrate a Vulnerability in Apple's Mac EFI

  1. #1
    What's Jailbreak? Akshay Masand's Avatar
    Join Date
    Sep 2011
    Location
    New York City
    Posts
    5,897
    Thanks
    3
    Thanked 200 Times in 179 Posts

    Default Security Researcher to Demonstrate a Vulnerability in Apple's Mac EFI


    Next week, a researcher is set to demonstrate a method in which a malicious actor could use a specifically-made Thunderbolt device to inject a bootkit, which could survive almost any attempt to remove it, into the EFI boot ROM of any Mac with a Thunderbolt port. The demonstration is set to take place at the Chaos Communication Congress by researcher Trammell Hudson who claims the attack takes advantage of an old flaw in the Thunderbolt Option ROM which was disclosed in 2012 but hasnít been patched since. Along with showing the custom code, Hudson will show a method by which the bootkit could replicate itself to any attached Thunderbolt device, allowing the malicious actor to spread across even air-gapped networks.

    Since the code lives in a separate ROM on the logic board, the attack canít be prevented by reinstalling OS X or even swapping out the hard drive. Hudson notes that he could replace Appleís own cryptographic key with a new one which even prevents legitimate firmware updates from being accepted. He wrote the following regarding the matter:

    There are neither hardware nor software cryptographic checks at boot time of firmware validity, so once the malicious code has been flashed to the ROM, it controls the system from the very first instruction. It could use SMM and other techniques to hide from attempts to detect it.
    Vulnerabilities that are a low level such as this one are particularly troubling as they are hard to find and can do a significant amount of damage. A previous demonstration of EFI hacking laid out how full-disk encryption systems such as Appleís FileVault could be bypassed with a bootkit.

    Although Hudsonís attack does require physical access, its ability to spread through other Thunderbolt devices makes it extra dangerous. Users tend to plug smaller shared devices into their computers without much thought and this would help spread the danger rather quickly.

    Hudson is set to present his findings on December 29th at 6:30pm local time in Hamburg, Germany.

    Source: Chaos Communication Congress via AppleInsider

    Twitter: @AkshayMasand

  2. #2
    Jesus wept! I hope that;
    A) If it is an exploit that is a real threat that Apple have not been too arrogant to ignore the warning, (as they usually are).
    B) That it gets no traction in the wild even if it is.

  3. #3
    Quote Originally Posted by Ambi_Valence View Post
    Jesus wept! I hope that;
    A) If it is an exploit that is a real threat that Apple have not been too arrogant to ignore the warning, (as they usually are).
    B) That it gets no traction in the wild even if it is.
    It can't get much traction because too few even have a Thunderbolt device and even fewer carry them around, plugging them into multiple Thunderbolt-equipped Macs. I wanted to get a 5K iMac until I read that it doesn't work as a Thunderbolt display, so even I have lost any reason I had to want Thunderbolt.

    This statement is laughable:
    "...its ability to spread through other Thunderbolt devices makes it extra dangerous."
    It's like warning people that some new executable viruses that infect floppy disks is "extra dangerous" when no one is using floppies. Even today, I suspect that almost as many people are moving floppies around between PCs than moving Thunderbolt devices.

Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •