A new exploit would allow taking control of a Mac even if it has been formatted

Miguel Ángel Juncos

2 minutes

Apple-hole-security-web-0

If we've been talking about an exploit capable of taking control of any Mac Even if it was later formatted or the storage unit changed, we now know that a new exploit allows us to do the same, but this time remotely without having to physically access the computer through a Thunderbolt connection. However, not all computers are affected since it is only present in Macs prior to 2014, which have not yet been updated to avoid this failure.

The vulnerability has been discovered by the security researcher in OSX, Pedro Vilaca, specifically it is based on a security hole that allows rewrite certain parts of the BIOS right at the moment when the machine "wakes up" from a state of rest or inactivity.

rootpipe-vulnerable-exploit-yosemite-0

Normally so that this does not happen, the equipment is equipped with a protection known as FLOCKDN which prevents applications from accessing the BIOS region, but for some as yet unknown reason, this protection is inactive just as the Mac returns from that idle state. This would leave the way for different applications to flash the BIOS and modify the firmware interface (EFI).

«The security breach can be usable through Safari or any other remote vector to install an EFI rootkit without physical access, ”Vilaca said on his blog. «The only requirement is that a suspension of the equipment takes place within the session that is being used. I haven't done enough research yet but you could probably force the system to sleep and then trigger the attack. It would be an epic owned ;-) »

Once installed, the malicious code would be very difficult to detect or remove as much as formatting or reinstalling the operating system would achieve nothing as the BIOS would remain modified to allow access. Unfortunately, there is not much vulnerable Mac users can do to prevent the exploit. until Apple releases a patch.

In any case, Vilaca points out that ordinary users should not worry excessively either since it is more than likely that this exploit is planned in the face of a massive attack and not in specific teams. So far it has been tested on a MacBook Pro Retina, a MacBook Pro 8.2 and a MacBook Air running the latest available Apple EFI firmware all of them with success. The only computers not affected are those that range from mid to late 2014.


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Ricardo said
    ago 9 years

    It would be interesting to know if this exploit can affect the owners of Hackintosh equipment, even so it leaves the security of the Mac on the ground ... regrettable.

    Reply to Ricardo