A new exploit dubbed ‘Dark Jedi’ exists for MacBook systems created before mid-2014, where a hacker can issue a malicious program to overtake the system’s firmware by simply having the system be put in sleep mode. Upon waking from sleep, the firmware on these older Macs is unlocked, which leaves them open to access and modification from applications running in OS X. This contrasts with the recent Thunderstrike firmware vulnerability that allowed hackers to overtake firmware, but required physical access to the system. Since this current vulnerability is run by way of malicious software, systems can be attacked remotely by uses of trojan horse and other social engineering approaches, but this also provides an avenue for protection.
If your Mac is an older one and you are concerned about this vulnerability, keep in mind that for now this is a proof-of-concept attack that is not known to be in any active hacking attempts. In addition it has three key limitations:
- It requires root access
- It requires you download it
- It requires your system be put to sleep
Only download software from developer sites or reputable software distributors
If you see a notice about a software update required for your system, then consider closing it and going to an official and known source for obtaining the latest version of that software package. For instance, if you are notified about an Adobe Flash or Java update, then go to the corresponding system preferences pane and use the update features in there, or go to Adobe’s Oracle’s, or any other relevant developer’s Web site to download standalone installers. For other software, use similar built-in software updaters and services like Apple’s Mac App Store for getting updates.
Judging potentially malicious sites can sometimes be difficult, but legitimate developers will usually channel you directly to appropriate and desired updater, whereas malicious sites often show many popups (some of which may download unwanted installers to your system), numerous ads, free deals and other offers, and redirect you to sites you did not intend. If any of these occur when browsing the Web, close them down and avoid interacting with them.
Be cautious about any package or installer you run on your Mac
Whenever you are asked for your password, OS X system is attempting to escalate privileges to modify system resources. Therefore, if you see any notice on your Mac that asks you to enter your password, then be wary of it.
By only supplying your password when you need to specifically modify a setting, or are running a software installer that you trust and know the source of, then you will almost guarantee that you will avoid malware packages such as this one. If you even slightly suspect a package or installer, then delete it from your system and re-download it from the developer’s site.
Don’t allow your Mac to go to sleep
Even though this aspect of the Dark Jedi hack requires you have already installed the malicious software, this particular hack exploits the vulnerability where the firmware is left unlocked during sleep mode. This means that for now its mode of attack is when your Mac goes to sleep. While sleep mode is great for quick and convenient resuming of your workflow, OS X implements autosave and resume for resuming your workflow when your Mac boots. Therefore, in many cases you can similarly pick up where you left off by shutting your Mac down instead of sleeping it. To prevent system sleep, check the option to do so for each power profile in the Energy Saver system preferences pane.
Hey Topher, any word on if Password Protected Firmware will stop the exploit?
So once again the attacker has to trick the user into installing the malware. We’ve been reading these scary headlines for years now about how the boogeyman can get us any time he wants. But to date NONE of these scenarios have gained ANY traction in the wild WHATSOEVER.
Here’s my ultimate solution for security if you are scared by any of this. Don’t turn your computer on.
I once had a puppy. The puppy turned out to be pony which turned into a lion and bit me on the nose. Have a pleasant day.
I was told that user privileges don’t matter and that is what makes it dangerous! Are you 100% certain you need Root access?? Can see in the comments looking for cashxx and the reply.
https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/
Yes, you need root access.
If you have root, making your Mac sleep and wake on command is trivial. Also, a root exploit could invoke this without requiring an installer. Root exploits aren’t exactly common but they do pop up now and then. This needs to be fixed because you can’t really protect yourself if a root exploit appears in the wild.
Years ago I was told by a professional that you can save the life of you HD by not turning it off and on again on a continuous basis, so the only time I turn it off, completely is moving over a great distance or if there is lighting in the area. I do reboot it occasionally to install some software that requires it, but other than that it’s been running and not in sleep mood since the spring of 2010.
is it possible to force the reinstallment of the firmware? Tried to download the (correct) packages from apple but it tells me that “the system does not support this software”
is it possible to create hashes of the original efi and compare with the one installed to check whether the system has been compromised?
As reported on Macworld in a less than adequate article,(http://www.macworld.com/article/2929172/apple-vulnerability-could-allow-firmware-modifications-researcher-says.html), this exploit was tested on a MacBook Pro Retina, a MacBook Pro 8.2 and a MacBook Air. Macs made before 2014 appear to be vulnerable – which is most of those in service right now. Since the person who discovered the exploit tested it only on Apple portable computers, it’s easy to assume that only laptops are vulnerable. I don’t think that’s a safe assumption, however. It speaks to the limitations of the researcher’s resources rather than the limitations of a potential exploit. The researcher’s motives are also questionable because he reported his findings on his blog without first notifying Apple, as is customary practice among serious security researchers.
None of this discredits his test results, unfortunately. But it remains to be seen if other, more reliable, security researchers can duplicate his findings. Hopefully this will happen before some criminally inclined hacker does so – and before Apple develops firmware patches for it. There is also the as yet unanswered question of whether third-party security software can be updated to deal with it. This will be important to some people who are running OS X versions earlier than Mountain Lion, which Apple no longer support with security fixes.
All of this may seem unnecessary hype to some, as such warnings often do, but, as the saying goes, forewarned is forearmed. People concerned about information overload don’t usually read technical blogs like this one.
While it’s too early to actually take drastic action to avoid an exploit built on this vulnerability, like never putting your computer to sleep or shutting down and starting up every time you walk away from your desk, the other precautions Topher mentions are part of the best practices for avoiding any attack on your computer and should be routine for every computer user. Sadly, they are not.
Easy Solution.
Just turn off your ethernet or wifi at the end of the day?
Then you could safely sleep your computer.
Other than this dark jedi hack, and the thunderbolt hack, are there any other known hacks that can persist a clean re-install of os x ?