A security researcher has criticised Apple for failing to address a root-level vulnerability which he describes as “f*cked up”.
The flaw, discovered by security researcher Pedro Vilaca,, would enable an attacker to flash a Mac's firmware while the machine was coming out of sleep mode and create a backdoor into the system.
Vilaca writes in his blog that he discovered the flaw while trying to recreate the Dark Jedi attack, which involves reversing the boot script implementation. It was while doing this that he discovered the security flaw that he says is “bigger” than Dark Jedi.
“Well, Apple's S3 suspend-resume implementation is so f*cked up that they will leave the flash protections unlocked after a suspend-resume cycle. !?#$%&!#%&!#,” he wrote on his blog.
In an email to SCMagazineUK.com, Vilaca expanded on his concerns regarding his discovery.
“The issue is quite bad due to its low level nature and potential to install rootkits at firmware level. Big problems at firmware level aren't Apple exclusive. For example I have a Gigabyte motherboard and its firmware is always unlocked since boot (this behaviour has also been verified by Legbacore.com researchers).
“At firmware level this is slightly worse than Thunderstrike because it allows a remote vector, which Thunderstrike did not. Thunderstrike was also pretty bad.
“I'm still researching the core issue to understand if this is indeed a software flaw as I suspect or something related to hardware since newer machines appear to not be affected by this,” he said.
Reading the flashrom output from a MacBook Pro Retina 10.1 running the latest EFI firmware – the firmware released to fix Thunderstrike – demonstrates how the flaw is enabled. On boot-up, the system variable FLOCKDN is set to 1 ensuring that the BIOS is mostly read-only. Close the MacBook and allow it to sleep for about 30 seconds and then wake it up, and FLOCKDN is 0.
“The flash is unlocked and now you can use flashrom to update its contents from userland, including EFI binaries,” Vilaca wrote on his blog.
Interestingly, it is not necessary to have physical access to the machine to exploit this bug, Vilaca said, as you can trigger sleep mode remotely.
This bug is not likely to be exploited en masse by hacker, he added, so the average user doesn't have much to worry about, but it would be ideal for a targeted attack, he said.
His advice for the average user is not allow their Mac to go into sleep mode.
Security consultant Sarb Sembhi at Storm Guidance told SC that the danger with vulnerabilities like this is that there is an assumption among Mac users that their systems aren't a target for hacking.
Ironically, because this view is also quite prevalent within Apple, the company has not developed a patching culture, he said. Unlike Microsoft which years ago learned to issue regular security updates for Windows, the Mac “will have more vulnerabilities going forward – and this is just one of them”.
Sembhi said the advice to not allow your Mac to go into sleep mode wasn't particularly helpful. “The reason people buy these devices with long battery life is because they want a machine that is quick to boot up, so not putting it into sleep mode takes away one of the key features and benefits of owning a Mac.”
Vilaca is highly critical of Apple for its attitude toward security. “I believe Apple has a corporate culture problem regarding security (like Microsoft had many years ago) and they only seem to react when pushed against a corner,” he wrote.
He believes that Apple knows about the vulnerability because it's been fixed in its latest machines even though it's not been addressed in older versions. He urged Apple to warn its customers of the flaw and fix it.
“Apple has a great opportunity here because they control their full supply chain and their own designs,” he said.
Sembhi echoed Vilaca's criticisms of Apple. “Apple needs to up their game. In the same way as Microsoft has a regular update programme – Patch Tuesday – Apple needs to get in the habit of updating its software and patching vulnerabilities on a regular basis,” he said.
Sembhi added: “They don't have a regular patch programme because they haven't been a target before, but that's only because security researchers haven't looked at it in as much depth as they have with Windows, but as they do, they will discover the flaws and ultimately help to make them more secure.”
Apple didn't return our phone calls or emails.