At CCC 2014 winter session, Trammel Hudson disclosed the first known proof of concept of a bootkit for Mac OS X. Bootkits are a special category of rootkits that stealthily infect the master boot record or volume boot record. In other words, it is a rootkit that installs itself in the boot system of the machine.
His exploit uses several weaknesses in the boot system of Mac OS X.
- The integrity of the boot ROM (which is indeed an EEPROM, to allow an upgrade) is protected by a CRC32 rather than by a cryptographic signature. Unfortunately, the purpose of CRC is to check whether the software is not corrupted (i.e. no mistake), CRC does not verify whether a software was altered. He knows now that he may alter the boot process software. He now had to find a smart way to do it.
- The firmware, to upgrade with Extensible Firmware Interface (EFI), is RSA 2048 signed. However, the check is done by the boot software that can be impaired. EFI is the replacement of BIOS. At this point, he knows that he may load his own firmware at boot using EFI. But how could it provide the firmware to the targeted machine?
- He used a trick that was demonstrated in 2012. At boot time, EFI asks externally connected devices via PCIe if they have any Option ROMs to execute. Thunderbolt port allows thus to load an arbitrary firmware from a connected device.
- He fooled the boot firmware by replacing Apple’s public key with his own public key letting Apple software taking care of checking his malware. Later, this key is written down in the ROM thus preventing any Apple legitimate upgrade to occur . Only upgrades signed by his private key will be accepted.
The potential attack is to have a forged thunderbolt device with the malware as Option ROM. The attacker needs physical access to the target, boot it with the connected thunderbolt device, and then the attacker owns the machine. It is fast.
This only a proof concept and no field attack have been yet discovered. Apple is preparing fixes that do not allow Option ROM during a firmware upgrade. The patch is already available for new Mac Mini and Retina. It will be available soon for all Thunderbolt models.
He mitigates the error of Apple for using CRC32 rather than crypto by stating:
In actuality, any software-only validation is doomed to fail since if an attacker can get code into the ROM, they can just skip that software validation. Either by always returning true or by returning a cached value computed over the boot ROM. Without some sort of hardware cryptographic signature checks or an actual, unchangable mask ROM, this sort of software-only attempt is futile.
His presentation, which he retranscripted on his site, is an excellent description of the work of a reverse engineer. He shows some tricks such as looking for strings (too often there are printf remaining in the code), look for hexadecimal sequences on the Net to find corresponding tool signature, … An excellent reading.
Lesson: Law 1: attackers will always find their way (even on Mac)