EFI rootkit for Macs demonstrated
At the Black Hat hacker conference, Australian security expert Loukas K (aka Snare) has demonstratedPDF a rootkit which is able to insert itself into a Macbook Air's EFI firmware and bypass the FileVault hard drive encryption system. Although the idea of an EFI rootkit is nothing new, this is the first time it has been demonstrated live and the hacker has used a previously unknown method based on a modified Thunderbolt to Ethernet adapter.
From the point of view of an attacker, a rootkit inserted into the EFI BIOS has some major advantages. The malicious code survives rebooting, is able to bypass hard drive encryption, does not have to make any changes to the hard drive, and is in a position to modify the operating system kernel on booting. Infection requires physical access to the computer (Evil Maid attack).
Depending on the ports available on the target system, an attacker can either insert a USB flash drive containing the malicious code or choose a newly demonstrated method using a Thunderbolt to Ethernet adapter – an accessory available from Apple. Snare was able to save a device driver, which is automatically loaded when the computer is rebooted, on the adapter. As proof, with the dongle inserted, the Mac displays an alternative start screen, rather than the usual apple, on booting. With the help of this device driver, the malicious code is loaded and executed later in the boot process.