http://arstechnica.com/security/2015/01/worlds-first-known-bootkit-for-os-x-can-permanently-backdoor-macs/
By Dan Goodin
Ars Technica
Jan 7, 2015
Securing Macs against stealthy malware infections could get more
complicated thanks to a new proof-of-concept exploit that allows attackers
with brief physical access to covertly replace the firmware of most
machines built since 2011.
Once installed, the bootkit—that is, malware that replaces the firmware
that is normally used to boot Macs—can control the system from the very
first instruction. That allows the malware to bypass firmware passwords,
passwords users enter to decrypt hard drives and to preinstall backdoors
in the operating system before it starts running. Because it's independent
of the operating system and hard drive, it will survive both reformatting
and OS reinstallation. And since it replaces the digital signature Apple
uses to ensure only authorized firmware runs on Macs, there are few viable
ways to disinfect infected boot systems. The proof-of-concept is the first
of its kind on the OS X platform. While there are no known instances of
bootkits for OS X in the wild, there is currently no way to detect them,
either.
The malware has been dubbed Thunderstrike, because it spreads through
maliciously modified peripheral devices that connect to a Mac's
Thunderbolt interface. When plugged into a Mac that's in the process of
booting up, the device injects what's known as an Option ROM into the
extensible firmware interface (EFI), the firmware responsible for starting
a Mac's system management mode and enabling other low-level functions
before loading the OS. The Option ROM replaces the RSA encryption key Macs
use to ensure only authorized firmware is installed. From there, the
Thunderbolt device can install malicious firmware that can't easily be
removed by anyone who doesn't have the new key.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
