Intel Security releases EFI rootkit checker for MacBooks after CIA hacking leaks
The Vault 7 leaks this week suggest that the CIA has been able to exploit vulnerabilities in a wide range of popular hardware and software, including Windows, macOS and Linux. One of the suggestions is that the agency produced EFI (Extensible Firmware Interface) rootkits for MacBooks called DarkMatter.
To help calm the fears of MacBook owners, Intel Security has pushed out a tool to check for such rootkits. Apple issued a statement earlier this week indicating that it had addressed "many of the issues" exposed by WikiLeaks, but Intel Security's further intervention will bring some peace of mind to concerned users.
EFI is the firmware that replaces the old-fashioned BIOS on modern computers. Various rootkit exploits have been implemented over the years that make it possible to inject code that will then be run before the operating system itself launches. Working on a kernel level, rootkits are hardy pieces of malware that evade easy detection and are able to survive system formats.
The company explains the new module in a blog post:
In the recent disclosures, another EFI firmware malware for Mac OSX systems, DarkMatter, has surfaced. It appears to include multiple EFI executable components that it injects into the EFI firmware on a target system at different stages of infection. If one has generated a whitelist of known good EFI executables from the firmware image beforehand, then running the new tools.uefi.whitelist module on a system with EFI firmware infected by the DarkMatter persistent implant would likely result in a detection of these extra binaries added to the firmware by the rootkit.
EFI firmware malware is a new frontier for stealth and persistent attacks that may be used by sophisticated adversaries to penetrate and persist within organizations and national infrastructure for a very long time. Use open-source CHIPSEC to defend from this threat and stay safe.
In response to the Vault 7 revelations, Intel Security has updated its CHIPSEC framework with a new module that ensures EFI firmware is untouched.
Full details about how to use the tool can be found in the blog post from Intel Security. EFI updates are available for download from Apple's support pages.
Image credit: Hadrian / Shutterstock