What happened?
Macintosh security researcher Pedro Vilaca, discovered a deeply rooted vulnerability that allows hackers to gain access to certain Mac computers. By exploiting this security flaw, cybercriminals can effectively shut down your device or spy on your activities for a prolonged period of time.
Spying on users who are engaging in online banking activities or accessing sensitive data from their computer can put them at risk of identity theft and fraud. Some believe hackers may target major organizations in an effort to obtain confidential business information, similar to the Sony hack.
Symantec, a leader in data security, has since confirmed this Mac vulnerability and rated it as a “critical” threat.
The Mac vulnerability was discovered in the basic input/output system (BIOS) of devices that were more than a year old. The BIOS is the core of your computer and is used when rebooting from sleep mode.
Vilaca found that the BIOS firmware used in these Macs did not possess the necessary computer code to ensure its security and that hackers could easily rewrite this code and create a “permanent back door” to access your device.
This security flaw highlights the cybersecurity risks every computer faces — no matter the brand name.
And while there is a real threat to your device, hackers may only rewrite this code if you’ve created the optimum environment for them.
Who is impacted?
Hackers may only exploit this Mac vulnerability if your computer is…
- A Mac Book, Mac Book Pro, or Mac Book Air
- Made before mid-2014
- Rebooted from sleep mode, rather than powered off
- Rebooted by a user with admin privileges
What should you do?
Because this attack can only be executed when a Mac is being rebooted from sleep mode, you should always turn your device completely off when not actively using it. The attack also requires administrative privileges, so Mac owners should create two separate profiles on their computer: one admin profile and one user profile.
Currently, Apple has made no public statement regarding this Mac vulnerability nor have they released a patch. Because the newest models of Macs are not at risk, it appears that this vulnerability was previously discovered but Apple chose to keep it quiet.
Hopefully, Apple will soon drop their cloak of secrecy in order to keep hundreds of thousands of their customers safe from attack.
Fighting Identity Crimes will keep you updated in the event Apple releases a security patch for this flaw.