The Present and Future of Mac Hardware Implants

A review of physical implant attacks against modern Macs and mitigations

About

This is a markdown adaption of the whitepaper previously published at OSF:

https://osf.io/preprints/osf/enup4

Abstract

As the incidence of mobile workplaces has grown, the risk of unauthorized physical access has also grown. Research conducted by Richardson R. within the Computer Crime and Security Survey indicates 74.3% of total financial losses related to information incidents are caused in part by hardware theft[1]. This indicates by association an increased number of opportunities for physical implant attacks. Historically, defending Macs against such attacks has proven extremely difficult. This paper will review several physical implant attacks, including Direct Memory Access (DMA) implants, Human Interface Device (HID) spoofing implants, and EFI modification implants. We will examine the viability of each attack against modern (2013 and onwards) Macs, and a non-exhaustive selection of the mitigations available to prevent or respond to such attacks. We will close with an examination of potential future security trends relevant to physical implants.

1. Introduction

In late 2018, a major news outlet[2] reported that several large American businesses had discovered hardware implants on computer equipment used within the companies. The report further claimed that said businesses were in cooperation with a department of the United States federal government, the Federal Bureau of Investigation, to determine the source and intention of the implants.

Despite a lack of supporting evidence, and official statements from the businesses refuting the report[3,4,5], a resurgence of concern grew within the security industry that such implants were in widespread use by state agencies and advanced threat actors.

The existence and use of such devices had already been confirmed by an earlier 2013 report by Der Spiegel[6], in which journalists revealed that the National Security Agency had engaged in espionage through the targeted application of hardware implants. The secret “NSA ANT” catalogue[7] detailed available implant devices and unit pricing for use by the “Tailored Access Operations” team. Despite the complexity of some of the implants, the cost of deploying them was well within the means of an individual actor. Hardware implants have since become more feasible due to simplified implant designs and decreasing component costs[8].

Physical implant attacks have become fairly easy to conduct, and until recently very little defense was provided against them. We will review several categories of attacks against Macs achievable using hardware implants, followed by mitigations that prevent or increase attack difficulty.

2. Physical Implant Attacks

There is a general consensus within the security industry that physical access to a Mac has the potential to completely compromise the software security of the device. This section will summarize several physical implant types that have historically been effective against Macs.

2.1 Direct Memory Access

A Direct Memory Access (DMA) attack is a side channel attack exploiting the direct connection to the Random Access Memory (RAM) given to certain peripherals to facilitate high-performance data connections. On modern Macs, a protocol called Thunderbolt is implemented that gives compatible peripherals DMA to facilitate high-throughput and low-latency. This protocol is only available through compatible ports (Mini-DisplayPort and USB-C), but at least one of these ports is present on all modern Macs.

A hardware implant disguised as a Thunderbolt peripheral may use the DMA access to arbitrarily read and write from memory, exposing sensitive information and enabling the modification of data residing in certain regions of RAM. Malicious Thunderbolt peripherals like Inception[9] make use of this to exfiltrate encryption keys and inject code to override operating system functions.

2.2 Mitigations Against DMA Attacks

Firmware and software mitigations have been put into place by Apple through update channels to limit the scope of DMA attacks using Thunderbolt devices, but they are not absolute. The mechanism by which DMA attacks are made possible is inherent to Apple’s implementation of the Thunderbolt protocol itself. Unlike many manufacturers, Apple does not utilize Input/Output Memory Management Units (IOMMUs) on Thunderbolt connections to limit access to physical memory addresses of system RAM[10].

On older Mac models, a method of preventing DMA attacks was to physically disable the Thunderbolt ports. This could be achieved by severing the port’s data connections on the logic board, or by physically obstructing external access to the port using a cement or epoxy compound. Both of these methods are destructive however, and were not practical for real-world usage. In addition, newer Mac models have unified the interfaces used to charge the internal battery and connect peripherals to the device[11], making physical destruction of the Thunderbolt ports completely non-feasible. The only remaining methods include shutting down the Mac when it is not in active use, paired with physical access controls like device cages and surveillance cameras.

2.4 Human Interface Device Spoofing

Human Interface Device (HID) spoofing relies on a device that when inserted into the target device, mimics a keyboard and/or mouse and performs actions mimicking user input.

Common applications of HID spoofing devices include placement between a legitimate peripheral and the target device, insertion into an empty port, or disguising the implant as a commonly used peripheral.

Inline HID spoofing implants intercept signals sent from the peripheral and record or modify them before passing those signals on to the Mac. Inline spoofing implants offer the same capabilities as embedded implants with less required time and resources, but are much more easily detected. This makes them most suitable for environments where prolonged physical access is not possible for the attacker.

Independent spoofing devices such as the Ducky[12] key resemble a small flash drive, and can be configured to perform the malicious actions immediately after insertion. Such an attack would require only a few seconds of physical access to perform, and leaves no physical evidence behind. Event logs on the device may also be erased by the spoofing device, eliminating digital evidence.

Spoofing devices can also be embedded within peripherals used by the target. The peripheral may be intercepted within the supply chain and embedded with an implant before reaching the target, or the implant embedded in a peripheral already in use during a time when the target is not present to witness the implantation. Implants can also be placed in publicly used peripherals like USB charging stations, or equipped with radio systems to enable data exfiltration. Supply chain implant attacks leave physical evidence in the form of extra or mismatched components, but the difficulty in detecting them can prove nearly impossible. Physically small or well-integrated implants can be almost indistinguishable from a legitimate peripheral[13].

2.5 Mitigations Against HID Spoofing Attacks

The principal flaws enabling HID spoofing attacks are the trust placed in peripherals by the operating system, followed by the physical accessibility of the peripherals and ports they use. Software mitigations can be put into place to prevent the use of unauthorized input devices, although this may not be effective for supply chain attacks. Physical mitigations involve permanently disabling the ports used by the attacks, but on newer Macs the homogeneous use of ports for both charging and connecting peripherals makes this impossible. Physical access controls like device cages and surveillance can prevent attacks without the need for physically modifying the device.

2.6 EFI Modification Attacks

The EFI is referred to in expanded form as the Extensible Firmware Interface. It is also known as the platform firmware, and is responsible for providing a software interface between the hardware and the operating system it loads.

Macs have used Intel EFI as a replacement for Open Firmware since January of 2006[14], and continue to use it as the platform firmware on all current Macs. The EFI has the ability to be “flashed”, allowing the Mac’s existing EFI code to be modified or replaced. This has the potential to allow an attacker to reprogram the platform firmware to use the existing hardware as an implant. Malicious firmware can be flashed to the EFI through the facilities provided to the operating system, or by directly interfacing with the Serial Peripheral Interface (SPI) bus on the logic board.

A proof-of-concept exploit called “Thunderstrike” uses a malicious Thunderbolt peripheral to modify PCIe Option ROMs, launching an attack on the firmware update system to load malicious EFI code[15]. Vulnerable Thunderbolt devices connected to the Mac could also be modified, potentially allowing the implant to spread to other Macs. In 2015, a variant of the Thunderstrike attack capable of remotely modifying Mac EFI was demonstrated[16]. It relies on having root access on the target and a vulnerable EFI. A significant number of Macs are still running firmware vulnerable to the attack[17].

2.7 Mitigations Against EFI Modification Attacks

The Mac EFI is not intended to be directly interacted with, and as such it does not have any configurable security options. Any security strategies to prevent malicious EFI modification must rely on a combination of physical access controls, firmware validation, and the application of security-related firmware updates.

With the exception of the remote Thunderstrike variant, the physical access controls used to prevent the previously discussed attacks are also effective in preventing EFI modification attacks. The vulnerability used by the remote Thunderstrike variant has since been patched in current firmwares[18], but vulnerabilities may arise in the future that make such attacks possible again. The use of software security and standard hardening procedures can reduce this risk, but novel attacks always have the possibility of being discovered.

Starting with macOS 10.13, macOS performs a weekly validation of the underlying EFI to ensure it has not been unexpectedly modified[19]. This validation is only intended to check if the EFI has been tampered with, and does not check as to whether the EFI is current with updates, or if previous updates have failed. Third-party tools such as CHIPSEC[20] exist to verify the firmware against a known-good copy, and allow the current EFI firmware to be extracted for further examination. This at least allows implants to be identified and examined after discovery.

Since macOS 10.10, Apple has begun consistently bundling EFI updates with general macOS updates[21]. This has the benefit of removing the burden of firmware updates from the user, but the process is imperfect. Many Macs are unsupported due to the requirements of newer macOS releases, and even on supported Macs the updates often fail to apply. The exact reason for these failures is not entirely known, but the end result is that the firmware remains on the outdated version.

Apple has attempted to eliminate nearly all EFI modification attacks with the introduction of the T-series System on Chip (SoC). The T-series SoC is an ARM-based security coprocessor that greatly enhances Mac security by enforcing the validation of both software and hardware components. The T-series SoC is backed by an immutable masked ROM that is used to initialize the SoC and provide core functionality[22]. This ROM is physically etched into the silicon during production, and cannot be modified without physically changing the ROM chip.

On T-series equipped Macs, the EFI is no longer stored in mutable flash storage. Upon boot, the T-series SoC dynamically provides the x86 processor with the necessary EFI image only after it has been verified[23]. Due to x86 architectural limitations the provided EFI must thereafter be held in mutable storage, exposing the EFI to modification by external factors. While EFI modification attacks are still possible, the difficulty in doing so has been made immensely higher.

As threat actors become more advanced, the capabilities of their physical implants and the sophistication of the attacks that accompany them will increase. The growing trend of mobile computing will give attackers more opportunities to perform these physical attacks, potentially leading to more widespread use.

DMA attacks are expected to continue to maintain technical viability until more complete mitigations are introduced by Apple to prevent their use. The T-series SoC already maintains the DMA path between the Mac’s internal storage and the x86 CPU, confirming the SoC maintains the technical capabilities to act as a broker for DMA paths[24]. Future revisions of the SoC may extend this functionality into the Thunderbolt DMA paths, allowing it to further secure the protocol by acting as a form of IOMMU.

HID spoofing attacks are likely to continue to be used well into the future, as the mechanisms to secure against certain variants of the attack class prove exceptionally difficult. It would be possible for Apple to modify the process used to identify keyboards to include a “challenge-response” mechanism, but Apple’s aversion to user-facing complexity may prevent this.

A proposed extension of the initial keyboard setup process to enhance HID security is as follows. During initial keyboard setup, macOS currently requires the keyboard layout to be identified before the keyboard can be used. Upon insertion, the user is prompted to press certain keys to facilitate auto-detection. After the layout has been successfully set, macOS could require the user to press a series of randomly selected keys as displayed within the Keyboard Assistant window. As the HID spoofing device cannot feasibly predict the correct key sequence, this prevents newly inserted implants from acting without user interaction. This “challenge-response” style hardware interrogation is incapable of preventing many variants of HID spoofing attacks, but is capable of preventing newly inserted implants from acting without user interaction. Apple may implement some variation of it in future versions of macOS.

EFI modification attacks are in a period of shift, as the focus of such attacks has changed from the x86 processor to the T-series SoC. Given the large scope of functionality handled by the T-series SoC, it is possible a vulnerability could be leveraged to execute an attack against the EFI and x86 processor. Future versions of macOS are not expected to apply more robust software-based firmware verification, as Apple has so far not released any redesigned Mac models after 2018 that do not have the T-Series SoC[25].

Industry leaders in x86 architecture design are already introducing extended functionality to their platforms to address the physical implant attacks developed in recent years, but the inherent design of the x86 architecture limits their ability to secure their platform without breaking compatibility with the current specifications of the architecture.

With the introduction of the T-series chip, Apple is moving many of the security functions traditionally handled by the x86 CPU to custom ARM-based coprocessors. This suggests that Apple may be attempting to reduce its reliance on the x86 platform, by migrating an increasing amount of platform functionality into the ARM coprocessor. This migration would eliminate many of the security issues present in the x86 architecture, including some classes of physical implant attacks. Apple may eventually eliminate the x86 CPU entirely, bringing the physical security models of future Macs closer to that of its iOS-based devices.

4 Conclusion

Physical implants present a serious threat to the security of modern Macs. Several types of implants, including DMA, HID spoofing, and EFI modification implants, have proven historically effective at compromising Macs when physical access is obtained. While mitigations have been developed to make these attacks more difficult, the increasing mobility of Macs means more opportunities for these implants to be used.

Apple has made significant strides in preventing physical implant attacks through the introduction of the T-series security chips in modern Macs. These chips handle critical security functions and make the Mac platform much more resistant to tampering. However, some risk still remains, especially on older Macs without a T-series chip.

In the coming years, physical implants are likely to grow in sophistication as attackers adapt to the latest defenses. Security-conscious Mac users and organizations should utilize physical access controls, keep systems updated, and consider upgrading to T-series equipped Macs to maximize their protection against current and future physical implant threats. As Apple potentially shifts more toward custom ARM-based chips in Macs, the platform’s physical security model may start to resemble iOS devices more than traditional PCs.

Citations

[1]: Richardson, R. 2010. “Computer Crime & Security Survey”. Gatton College Of Business And Electronics. http://gatton.uky.edu/FACULTY/PAYNE/ACC324/CSISurvey2010.pdf.

[2]: Robertson, Jordan, and Micheal Riley. 2018. “The Big Hack: How China Used A Tiny Chip To Infiltrate U.S. Companies”. Bloomberg.Com. https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies.

[3]: “What Businessweek Got Wrong About Apple”. 2018. Apple Newsroom. https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/.

[4]: “Setting The Record Straight On Bloomberg Businessweek’S Erroneous Article | Amazon Web Services”. 2018. Amazon Web Services. https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/.

[5]: “Supermicro | News | Supermicro Refutes Claims In Bloomberg Article”. 2019. Supermicro.Com. https://www.supermicro.com/newsroom/pressreleases/2018/press181004_Bloomberg.cfm.

[6]: Horchert, Judith, Christian Stöcker, and Jacob Applebaum. 2013. “Shopping For Spy Gear: Catalog Advertises NSA Toolbox - SPIEGEL ONLINE - International”. SPIEGEL ONLINE. http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html.

[7]: “NSA Ant Catalog”. 2014. Eff.Org. https://www.eff.org/files/2014/01/06/20131230-appelbaum-nsa_ant_catalog.pdf.

[8]: “NSA Playset”. 2014. Nsaplayset.Org. http://www.nsaplayset.org.

[9]: Maartmann-Moe, Carsten. 2012. “Carmaa/Inception”. Github. https://github.com/carmaa/inception.

[10]: Sevinsky, Russ. 2013. “Funderbolt Adventures In Thunderbolt DMA Attacks”. Media.Blackhat.Com. https://media.blackhat.com/us-13/US-13-Sevinsky-Funderbolt-Adventures-in-Thunderbolt-DMA-Attacks-Slides.pdf.

[11]: “Identify The Ports On Your Mac”. 2018. Apple Support. https://support.apple.com/en-us/HT201736.

[12]: Kitchen, Darren. 2012. “Hak5darren/USB-Rubber-Ducky”. Github. https://github.com/hak5darren/USB-Rubber-Ducky/.

[13]: “NSA Ant Cataloge”. 2014. Eff.Org. https://www.eff.org/files/2014/01/06/20131230-appelbaum-nsa_ant_catalog.pdf., pg. 44

[14]: “Mactech | The Journal Of Apple Technology.”. 2007. Mactech.Com. http://www.mactech.com/articles/mactech/Vol.23/23.05/OpenFirmwareToEFI/index.html.

[15]: Hudson, Trammell. 2014. “Thunderstrike FAQ - Trammell Hudson’s Projects”. Trmm.Net. https://trmm.net/Thunderstrike_FAQ.

[16]: Hudson, Trammell. 2015. “Thunderstrike2 Details - Trammell Hudson’s Projects”. Trmm.Net. https://trmm.net/Thunderstrike2_details.

[17]: “The Apple Of Your EFI Findings From An Empirical Study Of EFI Security”. 2017. Duo.Com. https://duo.com/assets/ebooks/Duo-Labs-The-Apple-of-Your-EFI.pdf, pg. 33-35

[18]: “The Apple Of Your EFI Findings From An Empirical Study Of EFI Security”. 2017. Duo.Com. https://duo.com/assets/ebooks/Duo-Labs-The-Apple-of-Your-EFI.pdf, pg. 33-34

[19]: “High Sierra Automatically Checks EFI Firmware Each Week”. 2019. The Eclectic Light Company. https://eclecticlight.co/2017/09/24/high-sierra-automatically-checks-efi-firmware-each-week/.

[20]: “CHIPSEC: Platform Security Assessment Framework”. 2014. Github.Com. https://github.com/chipsec/chipsec.

[21]: “The Apple Of Your EFI Findings From An Empirical Study Of EFI Security”. 2017. Duo.Com. https://duo.com/assets/ebooks/Duo-Labs-The-Apple-of-Your-EFI.pdf, pg. 12

[22]: “Secure Boot In The Era Of The T2”. 2018. Duo.Com. https://duo.com/labs/research/secure-boot-in-the-era-of-the-t2#3, “0.3 Boot Process”

[23]: “Secure Boot In The Era Of The T2”. 2018. Duo.Com. https://duo.com/labs/research/secure-boot-in-the-era-of-the-t2#3, “0.5 Early Boot”

[24]: “Apple T2 Security Chip Overview”. 2018. Apple.Com. https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf, pg. 5

[25]: “About The Apple T2 Security Chip”. 2018. Apple.Com. https://support.apple.com/en-us/HT208862.