Apple’s “Dark Jedi” Exploit Explained

The prevailing notion of Apple computers is that they are uncannily capable of protecting themselves from the day-to-day vulnerabilities that plague the likes of Windows. This hasn’t stopped being true, but there is one vulnerability that has managed to slip through the cracks and create a bit of chaos in a system that prides itself in providing order to everyone using it.

It’s called the Dark Jedi exploit, and it was discovered on May 29, 2015. Although the exploit has become a subject of conversation among tech enthusiasts, many of the details surrounding the exploit seem to be discussed scantily, if at all. At Make Tech Easier we’re not satisfied until we’ve exposed the entire dilemma and discussed it in full honesty.

The Dark Jedi exploit was actually an older proof-of-concept posted in a blog in February of 2015. This gives you an idea of how relaxed we are about security since it took months for the news to hit the mainstream when another blogger re-discovered it in slightly older Mac machines on May 29, 2015.

darkjedi-bios

It works by taking advantage of a vulnerability in Apple’s sleep mechanism. Before we go any further, I will need to explain to you that the basic input/output system (BIOS) is a chip on your computer that stores all of the code it needs to begin the boot process and monitor the rest of the hardware attached to the main board. If you’re familiar with the BIOS, you may consider this an oversimplification, but that’s the price we pay for being brief. Usually when a computer shuts off, it also locks the BIOS so that its firmware cannot be rewritten unless there’s some sort of special trigger disabling that lock-up.

The locking mechanism mentioned above is extremely important since it prevents malware from invading what is arguably one of the most important chips in your system. On many of the older Apple computers (and we’re not talking about ancient ones here; the test was done on a MacBook Pro Retina 10.1) the locking mechanism fails to initiate when you put the computer to sleep as opposed to shutting it down. This allows any malware that rewrites your BIOS to do so whenever you close the lid on your laptop. Many rootkits work this way, meaning that your computer is suddenly vulnerable to a host of different malicious programs.

darkjedi-macbook

For a rootkit to “take root” in your Apple machine, three criteria must be reached:

  • Your hardware must be from mid-2014 at the latest;
  • You must have downloaded the malicious application and executed it; and
  • You must have put your computer to sleep at some point in the future then started it up again.

To prevent the Dark Jedi exploit:

  • Download only from trusted sources like developer’s websites and original manufacturers of software, and
  • Shut down your computer and never let it go into sleep mode if you have one of the older pre-2015 models.

As long as you have a Mac made after mid-2014, you should have the mechanism mentioned earlier even when the computer is put to sleep. This means that you don’t have to worry about this particular threat.

If I may be honest, this exploit doesn’t necessarily make Apple computers any less safe than they already are. I know there might be a panic after everything that’s been said here, but computers running Macintosh are still among the safest to use (although some would have good reason to argue that Linux is a measure safer).

What do you think? Is Apple starting to lose its touch, or is this a one-time slip-up? Tell us in a polite comment below!

8 comments

  1. Your explanation is a bit confusing. Is the “sleep mechanism” part of BIOS or part of the O/S? If it is a part of BIOS then Dark Jedi exploit will be present even if NO O/S is installed. It is the firmware, not software that is at fault.

  2. My understanding (from The Tech Guy podcast) is that, after you first turn on the PC the BIOS is write protected. The problem is, after you awaken the PC from sleep mode, the BIOS is no longer write protected.

    In that fashion, the code that might run, overwrites the BIOS, thereby firmly imbedding itself. BIOS is not something anti-virus/malware software checks.

  3. Your opening sentence; “The prevailing notion of Apple computers is that they are uncannily capable of protecting themselves from the day-to-day vulnerabilities that plague the likes of Windows. This hasn’t stopped being true ..”. Is indeed not true and actually a common misconception. Apple computers use the OSX operating system and like all computer operating systems are vulnerable to hacker viruses. Apple computers, contrary to their iPhone product, only represents a very small percentage of total worldwide computer sales. As a result, hackers continue to focus on the 90% running Windows XP, 7, 8.1, and soon to be released 10. Apple computers may actually be less secure as hackers have not devoted much attention to OSX. Meaning, most vulnerabilities go untried and untested. If someone decided to purchase an Apple computer solely based on the misconception of an inherent ability to fight off viruses, then I suggest that buyer beware of false tales and untold riches.

    • I wouldn’t say that Apple’s computers are necessarily “safer” from vulnerabilities than those running Microsoft products. However, the airtight fusion of software and hardware seen in Apple’s products gives the OS developers more flexibility to introduce much tighter and hard-wired security measures that just wouldn’t be possible on operating systems (like Windows) that are focused on interoperability. I’m as much a fan of Microsoft as it gets, but I don’t find it disparaging whatsoever to admit that it is a bit cumbersome for Microsoft to make its operating system secure.

      Microsoft is aware of this, and it has been working with OEMs to help create platforms that are much more secure for Windows users. I think it’s a step in the right direction, but there’s still a hill to climb in terms of this.

      This isn’t to say that you’re wrong, though! You indeed have a very strong point about the inherent priority of hackers. They see everyone’s using Windows, so they develop as much malware as possible to hit as wide an array of victims as possible. Since Windows 98, we’ve had a huge bull’s eye painted on us. That has certainly made Microsoft’s job much harder than, say, Apple’s.

      • As long as a Windows programs running in the user space require administrative privileges, Windows will not be a secure O/S, no matter whether it is the most popular or the least popular.

  4. Normally I leave the comments section alone for articles like this, but I had to chime in.

    I’m been an Apple Sys admin for the better part of 2 decades at several universities, and the biggest thing not mention here is an attracter still has to gain access to your Mac via SSH, VNC, ARD, or via target disk mode

    All the services that would all access to this to this exploit are turned off by default when you get your Mac from Apple anyway.

    So the moral of the story is, use strong passwords; don’t turn on unnecessary sharing services, you are safe.

    Yes this is a nasty exploit, but if you are using safe computing practices you are for the most part safe.

  5. I believe my machine has been attacked by this exploit.

    A few days ago, my machine’s master password stopped working and I was unable to get into single-user mode or recovery mode.
    The machine had a firmware password.
    The only access I could get was through Guest, which at least gave me access to logs.

    However in the end – After many hours on the phone to apple, they concluded that the only way I could get this sorted was to take my machine to an apple repair centre with proof of purchase.

    Instead of doing that – I used the ‘command line’ function in Cisco Meraki to issue “rm /var/db/AppleSetupDone” remotely via the meraki agent “m_agent”.

    I then did a cold boot and it began to setup a new admin account. Once in – I changed the master password and deleted the temp admin account.

    So I am now back into my macbook with full root access…however…the firmware lock still exists…

Comments are closed.

Sponsored Stories