Apple SMC, The place to be, definitely! (For an implant) presented at Recon 2014

by Alex Ionescu,

Summary : At NoSuchCon 2013 in Paris, I first revealed the details behind Apple's System Management Controller, and it use of secret keys based on Harry Potter spells to unlock system functionality, as well as "Ninja" Actions. Back then, the research was done on a 2011-era Mac laptop, and only 30% of the SMC had been reversed by me, so much of the presentation was based on early research and no practical attack had yet been developed. For the past year, I have worked on taking apart the SMC on the latest generation Mac computers, starting with the 2012 models, and fully reverse engineering the firmware. Not only has Apple gotten rid of the Harry Potter spell (and replaced it with another, lengthier, secret password), but they have completely changed suppliers and moved to a totally different microcontroller. Taking advantage of the new MCU, they've added validation checks to prevent malicious firmware updates, as well as greatly extended the capabilities and functionality of the SMC.
In this talk, I will:
1) Describe the new SMC MCU used by Apple on their newest generation computers.
2) Talk about previously unknown capabilities of the SMC, such as sending interrupts to the host, sending log messages to the kernel, as
well as full USB and LPC access, which are of great use to a rootkit developer. I will also cover hidden "debug" keys that exist in the SMC
and their use.
3) Do a few demos of playing with secret keys. For example, we'll see what happens when all thermal monitoring is off, fans are shut down, and the CPU is allowed to climb to temperatures above 100 degrees C (212 F).
4) Talk about how to "jailbreak" your SMC in order to allow full memory dump of the chip, as well as how to bypass the validation checks.
5) Release a variety of SMC Tools that convert back and forth from the SMC update format (.smc) to a binary file that IDA can load, as well
as computing all the checksums and validation checks needed to prepare a binary file for flashing, plus a tool to dump the entire SMC (based on the hack in #4).
6) Demonstrate an actual (benign) SMC Rootkit that communicates with the Host OS and/or externally.
7) Show a video demo of complete physical destruction of a Mac laptop following a maliciously crafted 'dead' SMC. The laptop no longer turns on, nor charges (the charging light doesn't even come up). If my employer will pay, I may show a live demo instead.
8) Show how to protect yourself from an SMC attacker (as much as possible) as well as how to validate that your SMC is not rootkitted.
The tools I talk about will also have this option.