EFI rootkit for Macs demonstrated
At the Black Hat hacker conference, Australian security expert Loukas K (aka Snare) has demonstrated
a rootkit which is able to insert itself into a Macbook Air's EFI firmware and bypass the FileVault hard drive encryption system. Although the idea of an EFI rootkit is nothing new, this is the first time it has been demonstrated live and the hacker has used a previously unknown method based on a modified Thunderbolt to Ethernet adapter.
From the point of view of an attacker, a rootkit inserted into the EFI BIOS has some major advantages. The malicious code survives rebooting, is able to bypass hard drive encryption, does not have to make any changes to the hard drive, and is in a position to modify the operating system kernel on booting. Infection requires physical access to the computer (Evil Maid attack).
Depending on the ports available on the target system, an attacker can either insert a USB flash drive containing the malicious code or choose a newly demonstrated method using a Thunderbolt to Ethernet adapter – an accessory available from Apple. Snare was able to save a device driver, which is automatically loaded when the computer is rebooted, on the adapter. As proof, with the dongle inserted, the Mac displays an alternative start screen, rather than the usual apple, on booting. With the help of this device driver, the malicious code is loaded and executed later in the boot process.
Snare's device driver is not just able to load the malicious code which modifies the kernel – it is also able to perform actions such as recording the password for decrypting a FileVault-encrypted hard drive. According to Snare, Apple was informed of the issue several months in advance of his presentation and has even confirmed that the attack works, but, because of the technical capabilities of Thunderbolt, implementing a solution is not straightforward.
Snare told The H's associates at heise Security that adding functionality to the malicious code, such as opening a reverse shell after infecting the kernel, is simple.
(Uli Ries / djwm)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
