[+Frank B. Subscriber²]

?SpecialisRevelio!? Macs use Harry Potter spell to unlock secret ?backdoor?

Don't worry: undocumented feature more the stuff of spy movies than hack attack.

The Mac on your desk or on the cafe table next to you has a chip with secret functions that can be unlocked only by inputting a spell from the Harry Potter series. That's right, the SMC, or system management controller, a chip used to regulate a Mac's current and voltage, manage its light sensor, and temporarily store FileVault keys, contains undocumented code that is invoked by entering the word "SpecialisRevelio." Those are the same magic words used to reveal hidden charms, hexes, or properties used by wizards in the Harry Potter series written by author J. K. Rowling.

That fun fact was presented Wednesday at the NoSuchCon security conference by veteran reverse engineer Alex Ionescu. While most details are far too technical for this article, the gist of the research is that the SMC is a chip that very few people can read but just about anyone with rudimentary technical skills can "flash" update. Besides displaying the Apple engineers' affinity for Harry Potter, Ionescu's tinkerings also open the door to new types of hacks. But don't worry, they're mostly the fodder for a hacking scene in a James Bond or Mission Impossible screenplay.

"The attacks discussed in my presentation are attacks that likely only a nation-state adversary would have the sufficient technical knowledge to implement, and they require precise knowledge of the machine that is being targeted," Ionescu, who is chief architect at security firm CrowdStrike, wrote in an e-mail to Ars. "They are perfect, for example, at a border crossing where a rogue country may need to 'take a quick look at your laptop' to 'help prevent terrorism.' I don't suspect most Mac users (and certainly not those that read Ars or other similar publications) would be at a high-profile enough level to warrant such level of interest from another state."

Slides for his talk?titled Ninjas and Harry Potter: "Spell"unking in Apple SMC Land?are available here.

The input/output chip has some level of access to a Mac's Advanced Configuration and Power Interface and USB interfaces. Theoretically, the SMC could be targeted in a multi-stage attack that ultimately accesses the Northbridge or Southbridge portions of a Mac's circuitry. Another possibility is infecting the SMC with code that ferrets out the FileVault key used to encrypt a user's hard drive, although a considerably harder "cold boot" attack or other, more-established methods would be needed to carry this out.

One of the more interesting applications for an SMC attack might be for "marking" targets. By tampering with the chip's ambient light sensor and controls, a Mac could be programmed to emit audible or visible "noise" though the fans or LED displays. These signatures could then be detected by anyone in physical proximity to the marked computer. A Mac could also be programmed to turn off and never boot again at a specific time determined by the attacker. To be sure, there are other ways to "brick" a laptop, but few if any give an attacker the ability to control the precise time it cuts off.

"I realize these sound like things out of a spy movie and very limited in scope, but that's what I meant by specialized nation-state attacks," Ionescu wrote.

Of course, attacks that involve reflashing the firmware require a hacker to have physical access to the targeted Mac. That means they could be carried out only when the Mac was confiscated or secretly accessed by hotel housekeeper or other clandestine agent. Another caveat: Ionescu also said that many of the holes he found in the SMC were plugged with the release of the Mountain Lion version of OS X.

Ionescu didn't detail the secret functionality that's unlocked when the Harry Potter spell is input. His slides seem to suggest the code involves functionality known as the kernel protection password or the kernel protection status. It's not unusual for developers to use an obscure or secret sequence of key strokes to lock certain functionality for legitimate reasons, for instance, to protect users or prevent piracy. The invocation of "SpecialisRevelio" to unlock the backdoor features is amusing and interesting, but there's no reason to think there's anything nefarious about it.

"Most embedded firmware controllers are designed in such a way that their code is not readable through software mechanisms," Ionescu wrote. "The SMC, however, does have a region of memory that's designed to be read by the OS, but that region corresponds to internal settings only, not code (this region is called the EPM). Amusingly, by providing a Harry Potter spell through an undocumented interface, the chip will allow additional regions of memory to be read through software, such as the chip's RAM?the actual code (ROM), however, remains elusive."

Source: Ars Technica