Pre-2014 Macs Susceptible To Slippery Backdoor Firmware Exploit

After mainboard vendors began adopting EFI en masse in recent years, security researchers all over have dissected the many different implementations out there to find that elusive crippling bug. Sometimes, though, such bugs are not actually elusive at all, like one just discovered by reverse engineering enthusiast fG.

fG starts off his report by pointing out two excellent presentations revolving around EFI exploitation, and how this new one relates to one of those. At any point while using your PC, your EFI should never become exposed to write commands, but fG notes that this isn't the case on Macs older than mid-2014. In fact, the bug can be exploited from the desktop - all it requires is that the machine was put to sleep, and then resumed.

On a normal boot, the string "FLOCKDN=1" in the EFI readout tells the computer that the EFI cannot be written to, but that changes to "FLOCKDN=0" after a sleep/resume cycle. Usually, writing to a BIOS/EFI requires low-level access, so this bug is very unique by allowing it to happen in user space.

Apple MacBook 13

The report notes that multiple pre-2014 Macs have been deemed to be vulnerable, while the newer ones seemed to be locked down. fG notes that it appears Apple either fixed this bug by accident, or that it knew about it and decided to patch newer machines. Though they add, "It's not something you just fix by accident."

To fully protect yourself from this bug, you simply need to avoid using the sleep mode until Apple releases an updated EFI for your machine (if it does, that is). If you want to test for the vulnerability and are fluent with the inner-workings of OS X, you can download a tool called DarwinDumper, load the DirectHW.ext kernel module, and then run "flashrom -r biosdump -V -p internal" to check for that "FLOCKDN" string.

fG further notes that this bug can be exploited remotely. If someone has access to a Mac through SSH, they could simply force a sleep with "sudo pmset sleepnow". If the user is right in front of the machine, they will simply trigger it to wake back up.

Let's wait and see what Apple has to say about this one.