A vulnerability is discovered in which the boot kit is infected via Thunderbolt to EFI of MacBook and detection and deletion impossible & virus spreading are also done

Apple'sEFIThunderbolt via portBoot kitA vulnerability to infect has been discovered. From the device where the boot kit has been installedAir gapIt is reported that the virus spreads through.

EFI - Trammell Hudson's Projects
https://trmm.net/EFI


Apple's EFI vulnerability is reported by engineersTrammel · HudsonMr., Engineer conference to be held from 27th December 201431C3We are planning a demonstration demonstrating this vulnerability using a Macbook booting EFI at.

According to Hudson, due to the vulnerability of EFIDevices such as storage connected with ThunderboltThere is a danger of being infected with the boot kit from the boot kit, the boot kit once installed on the PC can prevent detection and deletion by the security software and can not remove it even by exchanging the HDD or reinstalling the OS And that.


An attacker can write incorrect code to the SPI flash ROM of the machine infected with the virus and create a new class of firmware boot kit in the MacBook system. After malicious code is written to ROM, it will be possible to control the system preferentially. Mr. Hudson said Apple's boot kit is located in ROMRSA encryption keyBy replacing the illegal secret key, we have confirmed that it prevents deletion from other software.

It is said that this vulnerability can be coped with by applying a few bytes of patch to firmware, but as of now no patch has been released. The only way to restore the infected firmware is to restore the infected firmware,In-System ProgrammingIt is only using a device.