Apple + Malware

A 30 Second Nap Could Be All a Hacker Needs to Rootkit Your Mac

Posted on June 2nd, 2015 by

Sleep

When you stop using your Mac, do you let it go to sleep or perform a full shutdown?

Maybe you will consider turning your Mac off properly, after reading about one security researcher's worrying discovery.

A new zero-day vulnerability has been discovered on older Mac computers, opening opportunities for hackers to meddle with the system BIOS and install a rootkit.

Sounds familiar? It should, because earlier this year we discussed a similar attack known as Thunderstrike, which Apple fixed in OS X 10.10.2.

In Thunderstrike's case, researcher Trammel Hudson described in detail how a Mac Thunderbolt port could be exploited to install malicious code in the ROM EFI boot chip on a MacBook.

But the new vulnerability, uncovered by OS X security researcher Pedro Vilaça and dubbed "Prince Harming" by Katie Moussouris, goes further, and appears to be more serious than Thunderstrike – because it does not require physical access to the targeted device.

Research paper

Instead, Vilaça has described how Apple computers made before mid-2014 are vulnerable to attack when awakened after they have been in sleep mode for 30 seconds or longer.

The problem, according to Vilaça, is that the computer's low-level firmware is left unlocked – providing an opportunity for unauthorised code to be injected into its ROM EFI boot chip in the form of a malicious rootkit.

"And you ask, what the hell does this mean? It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access."

"Wait, am I saying Macs EFI can be rootkitted from userland without all the tricks from Thunderbolt that Trammell presented? Yes I am! And that is one hell of a hole :-)."

Such an attack could be delivered remotely without physical access to the targeted computer by exploiting browser vulnerabilities and enticing a computer to visit a boobytrapped webpage. Provided their computer had entered sleep mode during the current cycle, it could be exploited.

And, as Vilaça told Ars Technica, it may be that hackers could force a targeted computer to enter sleep mode first:

"An exploit could either verify if the computer already went previously into sleep mode and it's exploitable, it could wait until the computer goes to sleep, or it can force the sleep itself and wait for user intervention to resume the session. I'm not sure most users would suspect anything fishy is going on if their computer just goes to sleep. That is the default setting anyway on OS X."

Apple tree rootsAnd once the rootkit is in place, it could potentially go undetected for some time.

Vilaça says he has tested that the vulnerability works against a MacBook Pro Retina, a MacBook Pro, and a MacBook Air, all running the latest available EFI firmware. All, he says, are vulnerable.

However, he believes that all computers made after mid/late 2014 are not vulnerable.

"I expect all mid/late 2014 machines and newer to not be vulnerable. Apple either fixed it by accident or they know about it. It’s not something you just fix by accident, just sayin’."

Fortunately, an attack via remote exploitation would almost certainly be possible for anti-virus software to detect, as the malicious code would need to run on the computer.

But that's your opportunity for prevention. If your ROM EFI boot chip has already been compromised, you've got a much bigger problem on your hands. Because any malware installed upon it could be programmed to avoid being removed by firmware-flashing software, meaning you might need to resort to an expensive hardware fix.

We have to hope that Apple will see fit to roll out a fix sooner rather than later for older computers. But in the meantime, maybe you would be wise to get into the habit of turning off your Mac computer rather than leaving it in sleep mode.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • David A. Woodbury

    On my 2012 iMac running Yosemite, there is “Computer sleep” with an adjustable time slider and then there is “Display sleep” which can be combined with “Put hard disks to sleep when possible” (and the option to “Wake for network access”). Is “Computer sleep” the same as combining display and hard drive sleep?