Proof-of-concept firmware worm targets Apple computers

[Read the post]

Do us non-Apple users get to be all smug now?


I wish.

Unfortunately, the researchers were testing firmware issues that they had previously used successfully on PCs/Windows. They found that 5 of the 6 issues also worked on Apple/OSX.

It is possible for Malware in firmware to traverse OS boundaries. If you are on Intel/AMD architecture, then hostile firmware can still be viable across Windows, Linux, OSX or BSD. This is why this form of malware is treasured by hostile governments.

Of course, it would have to be designed to traverse OS boundaries.


Um, some of us have been smug for quite some time.


Apple’s take on EFI is dysfunctional in different ways(and fewer variations) than the PC OEMs’ legions of UEFI firmwares; but they share strong architectural similarities; I’d be inclined to suspect the worst until advised otherwise.

1 Like

Given that the magic all happens in a SPI flash, could we put a proxy between the chip and the board that would allow disabling writes to certain address ranges, possibly enable/disable with a switch? Should be easy-ish to do on a pinhead-sized $1 FPGA, like this one. Especially as we don’t need it to be extra-fast.

Or maybe just have a write-enable pushbutton.

Also, given how easy is to read these chips with SPI interface, we could potentially get samples of malware used by both state and non-state actors. Auditing this chip should be a common step in malware search.

I find it ironic that the suggested fix (cryptographically signed firmware that can only be updated by the manufacturer) is Cory’s worst nightmare. Locking down the Mac like iOS would almost certainly prevent most of these attacks, but would be a nightmare for the end user’s ability to fully control their hardware.

1 Like

I find it perfectly logical. We can have most if not all of the benefits of the signing without most of the costs, all depends on how it is implemented.

The benefits have an assumption that the vendor’s keys aren’t compromised or the vendor did not get an offer that is not to be rejected. Or that an employee with access to the keys did not get two-faced. See the Cryptogate, the Crypto AG affair from years ago, when NSA compromised a supposedly neutral Swiss crypto vendor.

The ability to control one’s hardware, to get full and total access to its every nook and cranny, to be able to vet what goes in and what not, to compare the code with known-good or supposed-good machines, to install one’s own tweaks and patches, is crucial for being able to at least theoretically catch even the state-sponsored malware.

Undetectable. Really. That’s impressive - is it made out of phlogiston? Or maybe it’s just undetectable by the current version of Norton?

1 Like

Very detectable with e.g. a Bus Pirate and a few wires. There are many ways to dump a SPI flash.

This topic was automatically closed after 5 days. New replies are no longer allowed.