A security researcher has just, reportedly, found a way to gain control of Macs using OS X. The exploits allow attackers to remotely overwrite firmware responsible for booting up the device. Once attackers isolate the flaw in a targeted machine, they could control the computer as soon as it boots up. The specific exploit discovered by Pedro Vilaca is explained in detail in an article on his blog. This attack can give a user continuous, low-level control of a Mac without any initial physical access; therefore, hackers from the other side of the globe can exploit your system.
First, an attacker would need “root” access to OS X on the targeted machine. It isn’t impossible from a distance, but that adds additional, complicated steps. The flaw centers around a Mac’s entry into Sleep Mode. After awakening from Sleep Mode, the BIOS protection (FLOCKDN) is deactivated. At this point, firmware is open to apps to reflash, or rewrite, the BIOS. This creates a security hole, allowing an attacker to alter the EFI (extensible firmware interface).
As explained by security researcher Pedro Vilaca, , ” Apple’s S3 suspend-resume implementation… will leave the flash protections unlocked after a suspend-resume cycle…It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access.”
Newer Macs are unaffected by the security flaw, but Macs that are older than mid-2014, which allow the computer to enter sleep mode, are vulnerable. Vilaca confirmed that the attack works against pre-2015 MacBook Air, MacBook Pro 8.2, and MacBook Pro Retina, even with the latest EFI Firmware from Apple.
Vilaca says there isn’t much that can be done to prevent the exploit on vulnerable machines, but users can change their default settings in OS X, so the computer doesn’t enter sleep mode when not in use. Mac users shouldn’t worry. This attack is complicated and, according to Vilaca, would be difficult to carry out on a mass scale.
Source: Ars Technica