Thunderbolt security issue

Discussion in 'iMac' started by BenniG, Aug 1, 2012.

  1. BenniG macrumors member

    Joined:
    Jun 18, 2012
    #1
    Unfotunately here is no security forum

    http://h-online.com/-1655108

    From heise security
    "EFI rootkit for Macs demonstrated

    At the Black Hat hacker conference, Australian security expert Loukas K (aka Snare) has demonstrated a rootkit which is able to insert itself into a Macbook Air's EFI firmware and bypass the FileVault hard drive encryption system. Although the idea of an EFI rootkit is nothing new, this is the first time it has been demonstrated live and the hacker has used a previously unknown method based on a modified Thunderbolt to Ethernet adapter.
    From the point of view of an attacker, a rootkit inserted into the EFI BIOS has some major advantages. The malicious code survives rebooting, is able to bypass hard drive encryption, does not have to make any changes to the hard drive, and is in a position to modify the operating system kernel on booting. Infection requires physical access to the computer (Evil Maid attack).
    Depending on the ports available on the target system, an attacker can either insert a USB flash drive containing the malicious code or choose a newly demonstrated method using a Thunderbolt to Ethernet adapter – an accessory available from Apple. Snare was able to save a device driver, which is automatically loaded when the computer is rebooted, on the adapter. As proof, with the dongle inserted, the Mac displays an alternative start screen, rather than the usual apple, on booting. With the help of this device driver, the malicious code is loaded and executed later in the boot process.
    Snare's device driver is not just able to load the malicious code which modifies the kernel – it is also able to perform actions such as recording the password for decrypting a FileVault-encrypted hard drive. According to Snare, Apple was informed of the issue several months in advance of his presentation and has even confirmed that the attack works, but, because of the technical capabilities of Thunderbolt, implementing a solution is not straightforward.
    Snare told The H's associates at heise Security that adding functionality to the malicious code, such as opening a reverse shell after infecting the kernel, is simple.
    (Uli Ries / djwm)"
     
  2. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #2
    If you give someone physical access to your computer, all bets are off, anyway.
     
  3. BenniG thread starter macrumors member

    Joined:
    Jun 18, 2012
    #3
    Where Do You buy your thunderbolt stuff?
     
  4. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #4
    I don't.
     
  5. Peace macrumors Core

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #5
    What does it matter where you get the dongle. The thief still needs access to the computer. It cant be done over the internet.
     
  6. BenniG thread starter macrumors member

    Joined:
    Jun 18, 2012
    #6
    .....but you can buy manipulated dongles in the internet.
    Remember thunderbolt is like pci
     
  7. Peace macrumors Core

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #7
    I'll say what GG said.

    "Infection requires physical access to the computer"
     
  8. BenniG thread starter macrumors member

    Joined:
    Jun 18, 2012
    #8
    Scenario
    Somone buys a cheap Thunderbolt dongle somewhere in the internet.
    This is manipulated and modifies the kernel. Then the Computer is infected.
    No need for further physical access, the buyer of the cheap dongle did that already.


    "With the help of this device driver, the malicious code is loaded and executed later in the boot process......
    ....is not just able to load the malicious code which modifies the kernel – it is also able to perform actions such as recording the password for decrypting a FileVault-encrypted hard drive.."
    (cited out of the article)
     
  9. philipma1957 macrumors 603

    philipma1957

    Joined:
    Apr 13, 2010
    Location:
    Howell, New Jersey
    #9
    so any external hdd can have instructions in it. If you plug in a "new" piece of gear that has firmware upgrade preprogrammed in it you will see the firmware upgrade happen on your machine.

    I do not think a firmware upgrade in progress can be invisible.

    Everyone I have ever seen shows the progress with the gray bar. You would need to watch if you plug in any new gear to see if a firmware upgrade triggers.

    If this is possible at all I would love to see a video demo of this taking place.
     
  10. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #10
    Protection from malware has always been most successful when exercising some common sense and prudence in what you acquire and from what source. The same caution when acquiring software also applies to hardware. For anyone who isn't going out of their way to be foolish, this "threat" is a non-issue.
     
  11. kylera macrumors 65816

    kylera

    Joined:
    Dec 5, 2010
    Location:
    Seoul
    #11
    What GGJ says.

    There is a one in a gazillion chance that there can be a batch of crappy dongles, true. But the chances of getting a crappy dongle through the Apple Store compared through a shady dealer is much MUCH lower.

    Besides, if you're working in a sensitive place to begin with, there would be measures in place to not allow stuff like that to happen anyway.
     
  12. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #12
    Sounds like the OP has fallen victim to the internet fear factory.
     
  13. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #13
    Or, viewed another way, OP posted a link to a very interesting article about Mac security. I know I had not heard of this issue and thought it was good to know.
     
  14. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #14
    You didn't know that if a bad person can fiddle with your computer's hardware it can be compromised? I guess some things aren't as obvious as they seem.
     
  15. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #15
    I know you are just being condescending, but I'll humor you and answer anyway. I was not aware of this particular method of hijacking the Mac EFI. Perhaps other forum members also were not aware of it and will benefit from the information.
     
  16. snare macrumors newbie

    Joined:
    Aug 10, 2012
    #16
    Hey dudes, I'm the guy who did this talk at Black Hat.

    Just FYI that article is a bit misleading - the Thunderbolt evil maid attack requires physical access (of course - it's an evil maid attack), but infection with EFI malware in general does not necessarily require physical access. Given compromise of the system and privesc to root an attacker could write a malicious EFI driver to the option ROM on the video card/onboard ethernet, or patch/replace boot.efi. So it would be quite possible for a complex chained attack that went from a Safari bug resulting in arbitrary code execution -> sandbox escape -> root privesc -> flash oprom/patch bootloader. The Thunderbolt evil maid attack seems to be the aspect people have found most interesting, but there is a lot more to the topic. The whitepaper and slides are on my blog here: http://ho.ax

    Regarding the firmware update stuff - I haven't been able to successfully infect the core EFI firmware itself, as I believe Apple's boot ROM that does the POST also checks the signature of the EFI firmware before allowing it to be executed (a friend of mine who worked for Apple indicated this). BUT, I have been able to write malicious firmware to the EFI EEPROM without using Apple's firmware update process, the machine just doesn't boot afterwards :( It is certainly possible to do this from the OS on some systems without the user seeing the firmware update progress bar or any other visual cue. The malware just communicates with the chipset that the EFI EEPROM is connected to (e.g. Intel P55) and that chipset talks to the EEPROM via SPI. Newer machines use the write-protect pin on the flash so that once the OS is booted you can't write to it, so the firmware flashing would need to happen in the early stages of EFI (which can be achieved in a similar way to how Apple's firmware updates work - pass an EFI capsule back to EFI and have it deploy the firmware from there).

    Hope this has been helpful.
     

Share This Page