New Attack Hits OS X

Wednesday, January 14, 2015 @ 02:01 PM gHale

An attack called Thunderstrike can quietly and efficiently compromise Apple Macs from boot, a researcher said.

The Thunderstruck attack uses 35-year-old legacy option ROMs to replace the RSA keys in a Mac’s extensible firmware interface (EFI) to allow malicious firmware to install and lock out attempts to remove it, said reverse engineer Trammell Hudson, who created the attack.

Hacking Without the Internet
Sony: Risk Management in Real Time
Need Info? Hack an Exec
Data Loss, Downtime Costs Big Bucks

It works against all Macbooks released since Thunderbolt’s 2011 introduction, Hudson said, who added he successfully tested seven machines.

“When we boot the machine the Thunderstrike exploit runs in the recovery mode boot replacing firmware and Apple’s update routine flashes its RSA key onto the motherboard, and once that is done, we own the system and we can flash whatever we want using Apple’s own update tools,” Hudson told an audience at the Chaos Communications Congress in Hamburg, Germany, in a published report.

“Because we replaced the key this bootkit can’t be removed through software alone because we control the key the firmware is going to use. There is no official channel to remove it.”

The work emanated from research conducted by pen tester Loukas K who in 2012 built a gigabit Ethernet Thunderbolt adaptor that could backdoor the OS X kernel.

“You might ask why isn’t there a cryptographic check at boot time? … The flash ROMs are only checked when they are being updated and once written it is never checked again [possibly] due to saving speed,” Hudson said.

Apple is patching some of the two-year-old Thunderstrike vulnerabilities to Mac Minis and iMac Retinas, but not altogether closing off the option ROM attack vector, while older Macs could have firmware downgraded and then attacked.

Hudson disabled the Thunderbolt option ROMs across his Macs, something he said could only occur prior to attack by Thunderstrike. A more permanent method would be to disable thunderbolt PCIe functions altogether to close off other attack vectors.

Click here for more technical detail on the attack.

Leave a Reply

You must be logged in to post a comment.