There are several flaws in Apple's MacBook firmware security that allows untrusted modifications to be written to the SPI Flash boot ROM of these laptops. This capability represents a new class of persistent firmware rootkits, or 'bootkits', for the popular Apple MacBook product line. Stealthy bootkits can conceal themselves from detection and prevent software attempts to remove them. Malicious modifications to the boot ROM are able to survive re-installation of the operating system and even hard-drive replacement. Additionally, the malware can install a copy of itself onto other Thunderbolt devices' Option ROMs as a means to spread virally across air-gap security perimeters. Apple has fixed some of these flaws as part of CVE 2014-4498, but there is no easy solution to this class of vulnerability, since the MacBook lacks trusted hardware to perform cryptographic validation of the firmware at boot time.
[1]
J. Stewart.
No place to hide
,
1996,
Nature.
[2]
Robert O'Harrow,et al.
No place to hide
,
1997,
Science.
[3]
John Heasman.
Implementing and Detecting a PCI Rootkit
,
2006
.
[4]
S. Buchholz,et al.
“Thunderbolt and Lightning, Very Very Frightening”? Temporal and Meteorological Variation in Tako-Tsubo Cardiomyopathy
,
2010
.
[5]
Stamatis Karnouskos,et al.
Stuxnet worm impact on industrial cyber-physical system security
,
2011,
IECON 2011 - 37th Annual Conference of the IEEE Industrial Electronics Society.
[6]
Xeno Kovah,et al.
BIOS chronomancy: fixing the core root of trust for measurement
,
2013,
CCS.
[7]
Xeno Kovah,et al.
How Many Million BIOSes Would you Like to Infect?
,
2015
.