Next week, at the Chaos Communication Congress in Germany, leading security researcher Trammell Hudson will demonstrate that he can infect Apple EFI (Extensible Firmware Interface) firmware on MacBooks (via ZDNET).
The feat exploits the two year-old Option ROM vulnerability — still awaiting a fix —allowing the hacker to write a custom code to the boot ROM. The bootkit “can be installed by an evil-maid” through the Thunderbolt port of the MacBook computer.
It is possible to use a Thunderbolt Option ROM to circumvent the cryptographic signature checks in Apple’s EFI firmware update routines. This allows an attacker with physical access to the machine to write untrusted code to the SPI flash ROM on the motherboard and creates a new class of firmware bootkits for the MacBook systems.
Once on the targeted device it can survive reinstalls and even hard drive replacements. Indeed, it is able to control the system from the very first instruction, Hudson writes. The reason: “there are no hardware or software cryptographic checks at boot time of firmware validity,” he writes.
During his presentation Hudson will also demonstrate that he is able to replace Apple’s RSA key with a new one, which will prevent legitimate firmware updates from being accepted.
What’s alarming is that the malicious firmware is also able to spread through shared Thunderbolt devices.
The security researcher will unveil his findings to the public on Dec. 29, 6:30 pm Germany time.
