Researcher demonstrates firmware attack on Macbook

In late December, a researcher showed how it is possible to install on an Apple Macbook a bootkit that reinstalling the operating system and replace the hard drive can survive. The bootkit can be installed by someone with physical access to the laptop. For this, the externally accessible Thunderbolt port is used. Once the bootkit is running that can spread virally by infecting other Thunderbolt devices.

According to researcher Trammell Hudson is possible to bypass the control that uses Apple EFI (Extensible Firmware Interface) firmware updates. This can add an attacker with physical access of malicious code to the firmware on the ROM of the motherboard, creating a new class of firmware boat kits for Macbooks. The firmware is not cryptographically checked during boot, so the malicious code from the beginning has full control over the system.

Hudson developed a "proof of concept" bootkit Apple's public RSA key in replacing the firmware and prevents attempts to replace the malicious code. Since the boot firmware is independent of the operating system, the bootkit continues after a reinstallation of the operating system to exist. Replacing the hard drive also has no effect. Only through a programming device, the original firmware can be restored.

The researcher notes that can be adjusted by the bootkit and can spread further as the firmware of other Thunderbolt devices. "Although the two year old Thunderbolt firmware leak that this attack used a firmware patch to remedy is the bigger problem of Apple's EFI firmware security and secure booting without solving difficult trusted hardware." Hudson will during his presentation at the CCC conference give more details.