Mac users be warned: a vulnerability found in machines dating from mid-2014 and earlier has the capability of leaving them open to a backdoor attack. When triggered, malware can replace the firmware that handles the boot process of the machine, making them difficult to remove even if the machine itself is reformatted. What's more, the attack is most likely to happen when the machine is resumed from sleep mode.
OSX security researcher Pedro Vilaca wrote a blog post about the issue describing how the process takes place. According to Vilaca, he found a way to reflash or rewrite a Mac's BIOS, which the computer uses to initiate the booting process, as soon as the machine wakes up from sleep. The exploit is triggered from userland, the part of the Mac OS where installed applications and drivers are run. Vilaca told popular technology website Ars Technica via email that he has confirmed that the attack works against a MacBook Pro Retina, a MacBook Pro 8.2, and a MacBook Air. "BIOS should not be updated from userland and they have certain protections that try to mitigate against this," Vilaca wrote, "If BIOS are writable from userland then a rootkit can be installed into the BIOS."
Another more troubling revelation by Vilaca is that the vulnerability does not need physical access to the computer in order to get inside a target as reported by iDigital Times. This is in contrast to a similar issue dicovered late last year, which needs access to the Thunderbolt port found in Macs launched after February 2011.With this new vulnerability, a hacker can gain backdoor access simply by directing the computer to go to a point of infection - say, a website - download the malware into the target computer, and wait for the Mac to sleep.
The implications of the backdoor attack are fiendishly insidious. Once the malware manages to reflash the Mac OS BIOS, it is defenseless to any other threat that might happen to use the same hack. What's more, since the malware resides in such a low level of the computer's boot chain, it is completely safe and undetectable from security products like antivirus programs, and will persist even if the Mac is reformatted. In the email to Ars Technica, Vilaca explains, "BIOS rootkits are more powerful than normal rootkits because they work at a lower level and can survive any machine reinstall and also BIOS updates."
There is a silver lining however. Vilaca noted that since the vulnerability remained undiscovered until now, it is unlikely that malware authors have used it to infect Macs. While he acknowledges that mass attacks are possible, it is more likely that malware authors will use the backdoor against high-value targets that they have handpicked. Apple has yet to comment on the security issue, but is unlikely to do so until there is a fix for the issue.
Join the Conversation