Don’t Let Your Mac Fall Asleep: It Might Dream Up A Rootkit
Just last month we talked about how the “Unicode of Death” crashes your iPhones and Apple Watches, how easily Apple Safari can be manipulated via URL-Spoofing and the Ex-NSA guy who pointed to Mac security flaws.
Now Pedro Vilaca, a security expert who is deep into Mac OS X and iOS security, found another not so great looking vulnerability. Take a look at what he wrote on his blog: “Well, Apple’s S3 suspend-resume implementation is so f*cked up that they will leave the flash protections unlocked after a suspend-resume cycle. !?#$&#%&!#%&!#.
And you ask, what the hell does this mean? It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access.”
Wow. So basically it is possible to install a rootkit on a Mac without much of an effort. Just wait until the machine enters sleep mode for at least 30 seconds or more so the Flash locks are removed. Once gone the device is yours. With the Flash locks gone you can play around with the UEFI code and well … for example install a rootkit. The only way to protect yourself from it is to never let your Apple device go into sleep mode.
Luckily not all devices seem to be affected. Vilaca tested the issue against a MacBook Pro Retina, a MacBook Pro 8,2, and a MacBook Air, all running the latest EFI firmware available. All of them were vulnerable. There is a shimmer of hope though: The latest MacBooks might have been silently fixed by Apple, since the security expert was not able to replicate the vulnerability there.