Posted on 06-02-2015 07:18 AM
Not a very good morning after reading these articles.
Looks similar to Thunderstrike and impacts all macs older then Mid 2014.
Ars Technica - New exploit leaves most Macs vulnerable to permanent backdooring
Posted on 06-05-2015 11:23 AM
yeah... I have been looking at this stuff over the last couple days.
Does anyone know if having the macs enabled with FileVault 2 would mitigate the ability to compromise the data with this vulnerability?
I have a feeling I am going to need an answer for this soon... hopefully Apple will get a patch out for it soon.
Posted on 06-05-2015 11:39 AM
From what I read about it on the site where the researcher originally detailed it. no, I don't think FileVault will help much. Although we have a Config profile on our Macs that requires the FV2 password to unlock the Mac from hibernation, this affects regular sleep/wake processes.
But keep in mind root access is actually required before the firmware can be written into. The researcher's contention (and he's correct) is that root access is actually not that difficult to achieve on OS X with the various existing exploits out there, but its also not a given.
Some of the articles I've been reading about on this have contended that high profile targets (CEO's, government officials, etc) might be the only ones truly at any risk. The amount of effort it would take to first gain root, then be able to take advantage of this to write into firmware isn't trivial overall, so its not really worth the effort unless there is something highly attractive on the target system to gain by the attack.
Once root has been gained, its easy to simply make a Mac go into sleep and then wake up using pmset for example, which would trigger the condition where the firmware is in a writable state. That's why simply having FileVault enabled, or even changing pmset settings to force a hibernation every time you close the lid, isn't going to stop the potential exploit.
We can only hope Apple is working on this and will issue a fix. Since this seems to only affect machines before Mid 2014, it will be interesting to see what their response will be. Apple isn't the best with patching older Macs. In fact, they've been pretty abysmal at going back to older OSes or hardware and fixing issues.