UEFI attack and the Mac: What you need to know

UEFI - Unified Extensible Firmware Interface — is what the Mac uses to boot from firmware and into the OS X operating system. If you're familiar with BIOS, then this replaced that. At the Chaos Communication Congress (CCC) in 2014, a presentation showed how a vulnerability in the boot script table could be used to rewrite the firmware when a Mac wakes after being in sleep mode. As usual, it's something to be informed about, but for the vast majority of people, nothing to panic about. According to Reverse Engineering Mac OS:

As a general user you shouldn't, in theory, be much worried with this bug more than you were with Thunderstrike. This is a bug more interesting to attack targeted users than mass exploitation, although a drive-by exploit is definitely feasible.

For anyone to exploit the vulnerability, they need already to have root access to your Mac, and the ability to issue commands as root. And if that's the case, the remote access itself would be your most pressing concern. In other words, it needs the back window to be unlocked before it can get in and chain itself to the furnace.

Macs manufactured after mid-2014 appear not to be affected. Given the nature of the exploit and the attention it's getting, I expect Apple will be issuing a patch for affected systems as soon as possible.

If you think you may be targeted, you can mitigate the risk by running as a standard user rather than as an admin. If you have to run as admin, disable sleep and shut down your Mac when you're done with it instead. You can do that in System Preferences > Energy Savings.

Also, remember to practice safe surfing. Most attacks begin with phishing — bogus messages that try to con you into clicking on malware links — or social engineering — attempts to trick you into handing over your password.

For expert users, the following test procedure is also detailed:

Downloading DarwinDumper and load the DirectHW.kext kernel extension. Then you can use flashrom with "flashrom -r biosdump -V -p internal" to dump the bios and show the register contents. Else you can compile yourself DirectHW.kext and also flashrom. DarwinDumper just works out of the box and its kext appears to be legit (it's on Apple exclusion list so at least Apple trusts it ;-)).

Apple continues to work on new ways to improve security. Recent examples include the Mac App Store, Gatekeeper, and Sandboxing. Hopefully, we'll see and hear even more about the company's plans for OS X security at WWDC 2015, which kicks off June 8.

Nick Arnott contributed to this article.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

4 Comments
  • I think I've been attacked, I'm getting random "you do not have permission to use the application "grep" or "file" or many others that do not exist! What do I do! Sent from the iMore App
  • Given how Apple refuses to properly patch rootpipe, gaining remote root access to a Mac isn't that difficult.
  • They are getting better at addressing these things though. Back in the day they’d just keep schtum and that was a terrible situation.
  • This won't be possible in El Capitan, as it has rootless.