In 2014, another security researcher named Trammell Hudson developed a way to infect the EFI of Mac computers through malicious Thunderbolt devices. Apple fixed some of the vulnerabilities that made that attack possible, but the following year Hudson created another version of the exploit, dubbed Thunderstrike 2, together with researchers Xeno Kovah and Corey Kallenberg.
Apple again fixed some of the vulnerabilities that made Thunderstrike 2 possible, and a few months later the company hired Kovah and Kallenberg.
Giving that Apple now has at least three security researchers who specialize in EFI attacks and that the company has hardened its firmware against such exploits significantly since 2012, it's possible that the CIA's Der Starke's implant doesn't work on the company's latest devices.
Apple did not immediately respond to a request for comment.
The ability to bypass EFI password protection and boot from a peripheral device's Option ROM has also been known since 2012 and was actually mentioned in Snare's Black Hat presentation. This method, which is used by the CIA's Sonic Screwdriver Thunderbolt adapter was finally blocked by Apple in macOS Sierra 10.12.2, released in December.
After WikiLeaks released the first batch of CIA documents earlier this month, Intel Security released a tool that can help computer administrators verify if the EFI/UEFI has any malicious code.
During a press conference Thursday, WikiLeaks founder Julian Assange said that newly released documents are just a small part of the cache of CIA documents that his organization has but has not yet published.
WikiLeaks previously promised to share unpublished information about CIA exploits and vulnerabilities with technology companies with affected products. The organization then asked vendors to agree to certain terms before it discloses the information.
Assange clarified Thursday that those terms don't involve money or anything like that, but rather a commitment from vendors that they will patch any flaws disclosed to them within an industry standard time period of 90 days -- with a possible extension for hard-to-fix vulnerabilities.
Sign up for Computerworld eNewsletters.