Where’s the moat around my OS X castle?

Bodiam castleWe all want to feel secure and protected, right? Kings, queens and other powerful individuals from ages past, built moats to protect their investments and the people they cared for. Today, while we may not all be kings or queens, we still have the desire to protect ourselves and our personal property.

If you’re a Mac user with the belief that your OS X moat is impenetrable, protecting you from all foreign potential conquerors, it’s time to perk up and use a bit of caution.

According to Pedro Vilaca, a well-known security expert for OS X, the moat around your personal world housed on your Mac has a major flaw. In Pedro’s blog titled, The Empire Strikes Back Apple – how your Mac firmware security is completely broken, he discusses that by simply putting your machine to sleep, an attacker can compromise the device; gaining root access to the firmware.
So where did your moat around our OS X castle go?

In the age of global connectivity, creating a moat sufficient to protect our personal worlds is proving to be increasingly difficult. Just ask the US government who publicly announced they’ve potentially suffered the biggest data breach in government history – a breach that could affect up to 4 million government employees.

Unfortunately, our desire for uber-convenience enabled by near ubiquitous access to the Internet, with all of the benefits constant connectivity grants us, is also causing us to find there are more people trying to tear down our moats than people capable of building and maintaining them. After all, we’re the figurative kings and queens, we don’t build the moats; we just take advantage of them.

So what does this mean for you and me?

Well, the bad news is that unless you’re on a mid-2014 or later Mac model, the exploit is accessible without direct, physical access to the machine itself. Essentially, anybody with the proper wherewithal can compromise the firmware on your machine and take it over simply by targeting you before you put the machine to sleep. Then, when it wakes up, your moat will have suddenly vanished, giving the attacker full-root access to the firmware and subsequently all of the data on your device.

With firmware level access, more calculated attacks are feasible and they could happen without you even knowing about it. Jose Pagilery, writing for CNN money, says that because the vulnerability gives attackers time, they can plot an attack on a much larger scale, similar to the Sony Pictures hack from late last year.

This is really bad. If your machine were infected, even if you buy a new hard drive, or format your existing drive, and reinstall OS X, it wouldn’t take care of the issue. The compromise happens at such a low level on the machine that you won’t be able to get rid of it until Apple releases a new firmware that builds the moat anew.

The good news, well, there isn’t a lot to write about just yet. As a personal user, exercise caution and prudence in the sites you visit on the web. Apple has not publicly commented on the vulnerability yet and there are no known fixes. If you’re not famous or a public figure, the odds are ever in your favor that you will not be randomly targeted. As a corporation, however, there is cause for concern as your employees may be a deliberate target.

If you are in charge of corporate machines, for now, make note of the Boot ROM version on all of your Macs. In LANDESK, this can be done by creating a query and storing it for later use. When Apple releases a firmware update, you’ll already have a list of all vulnerable machines and will quickly be able to take action to repair.

To create this query, right click on the My Queries or Public Queries from the Network View and select New Query.

  1. Give your query a name, something like Mac Boot Rom Version would suffice.
  2. From the Machines Components pick list in the upper left-hand quadrant, scroll down and find the attribute Type, it’s the second to last object under Computer. Select Type, then select the = sign from the operators column and select MAC from the right hand column for scanned values.
  3. Hit insert to create the query syntax
  4. In the Machine Components column in the bottom left-hand quadrant, expand BIOS and add Boot ROM Version to the column set of data to display.
  5. Save the query.

Once you have the query, get on the phone and call Apple asking them when a security fix will be coming. They’ve fixed the exploit on their newer hardware, either knowingly or unknowingly, regardless of which it is, they have the recipe to fix the moat…at least this time and your castle needs it.