Skip to main content
Customer Support Customer Support

Your Mac Is Vulnerable to Thunderbolt Hacks and You Can't Do Anything About It – Video

Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54
By Filip Truta    4 Jan 2015
 
Security researcher Trammell Hudson offers proof of concept
 
A security expert has issued a proof of concept where a custom hack can be used to infect Thunderbolt MacBooks over the Apple Extensible Firmware Interface (EFI), with no means for the user to detect the hack, while reinstalling the OS will not remove it.
 
Dubbed Thunderstrike, the vulnerability reportedly allows a custom-crafted malicious Thunderbolt device to flash code to the boot ROM. In a lengthy video posted to ccc-tv, Hudson demoes how persistent firmware modifications can be fed into the EFI boot ROM of MacBooks equipped with Thunderbolt ports.
 

No way for you to fix it on your own

 
“The bootkit can be easily installed by an evil-maid via the externally accessible Thunderbolt ports and can survive reinstallation of OSX as well as hard drive replacements,” says the security researcher. “Once installed, it can prevent software attempts to remove it and could spread virally across air-gaps by infecting additional Thunderbolt devices.”

There’s a lengthy analysis of the flaw over at trmm.net, also courtesy of Trammell Hudson. There, he explains how replacing the hard drive has no effect on the hack, since it doesn’t depend on anything stored on the disk, while reinstalling OS X from scratch also can’t erase the hack.
 
Full Article and video.

    4 replies

    Baldrick
    Gold VIP
    • Baldrick
    • Gold VIP
    • 16060 replies
    • January 4, 2015
    That should be a bit of a wake up call to all those Apple users who inanely believe that because they use a Mac they are immune from malware and the like...but will they listen?  I very much doubt it...LOL.
    Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
    Jasper_The_Rasper
    Ssherjj
    2 people like this
    • Jasper_The_Rasper
      Jasper_The_Rasper
    • Ssherjj
      Ssherjj
    Jasper_The_Rasper
    Moderator
    Forum|alt.badge.img+54
    A bit more information on Thunderstrike.
     
    Sunday, January 04, 2015 Swati Khandelwal
     
    http://4.bp.blogspot.com/-OGCo1VXX5d0/VKpl0Euz76I/AAAAAAAAhXw/Zpr4NHzNcCM/s728/Thunderstrike-Attack.jpg                         A security researcher has discovered an easy way to infect Apple’s Macintosh computers with an unusual kind of malware using its own Thunderbolt port. The hack was presented by programming expert Trammell Hudson at the annual Chaos Computer Congress (30C3) in Hamburg Germany. He demonstrated that it is possible to rewrite the firmware of an Intel Thunderbolt Mac. The hack, dubbed Thunderstrike, actually takes advantage of a years-old vulnerability in the Thunderbolt Option ROM that was first disclosed in 2012 but is yet to be patched. Thunderstrike can infect the Apple Extensible Firmware Interface (EFI) by allocating a malicious code into the boot ROM of an Apple computer through infected Thunderbolt devices. Full Article 
    Ssherjj
    nic
    2 people like this
    • Ssherjj
      Ssherjj
    • nic
      nic
    R
    Community Guide
    • retiredAntus67
    • Community Guide
    • 5988 replies
    • January 8, 2015
    By Eduard Kovacs on January 08, 2015
     
    Highly persistent Mac OS X firmware bootkits can be installed on Apple computers, giving attackers full control of the device, a researcher has warned.
    At the Chaos Communication Congress (31C3) that took place in Germany in late December, researcher Trammell Hudson demonstrated the capabilities of an experimental piece of malware that can be installed on the EFI (Extensible Firmware Interface) boot read-only memory (ROM) of Apple MacBooks through the Thunderbolt port.
    Dubbed "Thunderstrike" by the expert, the bootkit can be installed within minutes by an attacker who has physical access to the targeted device (i.e. an “evil maid” attack). The threat is also capable of copying itself to Thunderbolt devices connected to the initially infected machine, which enables it to easily spread to other computers.
    Thunderstrike doesn’t have a malicious payload, but the researcher says a weaponized version of the bootkit would be highly dangerous. First of all, it would be difficult to detect because there are no systems in place for identifying firmware rootkits on OS X. Furthermore, the malware is stealthy because it can hide by leveraging the system management mode (SMM).
     
    full article
    R
    Community Guide
    • retiredAntus67
    • Community Guide
    • 5988 replies
    • January 8, 2015
    8 Jan 2015 at 06:02, Darren Pauli
     
    Reverse engineer Trammell Hudson has created an attack dubbed Thunderstrike which can quietly, persistently and virally compromise Apple Macs from boot.
    The Thunderstruck attack uses 35 year-old legacy option ROMs to replace the RSA keys in a Mac's extensible firmware interface (EFI) to allow malicious firmware to be installed and lock out attempts to remove it.
     
    It works against all Macbooks released since Thunderbolt's 2011 introduction, Hudson said, noting that he successfully tested seven machines.
    "When we boot the machine the Thunderstrike exploit runs in the recovery mode boot replacing firmware and Apple's update routine flashes its RSA key onto the motherboard - and once that is done, we own the system and we can flash whatever we want using Apple's own update tools," Hudson told an applauding audience at the Chaos Communications Congress.
    "Because we replaced the key this bootkit can't be removed through software alone because we control the key the firmware is going to use.
    "There is no official channel to remove it."
     
    full article
    Ssherjj
    1 person likes this
    • Ssherjj
      Ssherjj

    Reply


    Terms & Conditions