From the post:
If you are a rootkits fan the latest Chaos Communication Congress (CCC) in 2014 brought us two excellent presentations, Thunderstrike by Trammell Hudson and Attacks on UEFI security, inspired by Darth Venami’s misery and Speed Racer by Rafal Wojtczuk and Corey Kallenberg.
The first one was related to the possibility to attack EFI from a Thunderbolt device, and the second had a very interesting vulnerability regarding the UEFI boot script table. The greatest thing about the second vulnerability is that it allows to unlock flash protections by modifying the boot script executed after a S3 suspend-resume cycle.
Dmytro Oleksiuk aka Cr4sh released proof of concept code regarding this attack against an Intel DQ77KB motherboard. His very interesting blog post is “Exploiting UEFI boot script table vulnerability”. You should definitely read it.
And a bit further on:
What is that hole after all? Is Dark Jedi hard to achieve on Macs?
No, it’s extremely easy because Apple does all the dirty work for you. What the hell am I talking about?
Well, Apple’s S3 suspend-resume implementation is so f*cked up that they will leave the flash protections unlocked after a suspend-resume cycle. !?#$&#%&!#%&!#
And you ask, what the hell does this mean? It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access.
Wait, am I saying Macs EFI can be rootkitted from userland without all the tricks from Thunderbolt that Trammell presented? Yes I am! And that is one hell of a hole :-).
(emphasis in the original)
The post continues with a detailed explanation of the security hole. Which may not exist on “mid/late 2014 machines and newer” according to the post.
A very impressive amount of work and knowledge of Mac OS X went into this report.
I have never seen a Mac in a bank, which as Willie Sutton observed: ” that’s where the money is.”
Perhaps times are changing. It has been reported that despite a declining PC market, Apple sales continue to rise. (1st quarter of 2015)
Perhaps Macs are evolving into a worth while target. Unlike turning off someone’s iPhone. Annoying at worse. A song that when played encrypts local storage would be a far more serious problem.