World’s first (known) bootkit for OS X can permanently backdoor Macs

Discussion in 'macOS' started by alex0002, Jan 8, 2015.

  1. alex0002, Jan 8, 2015
    Last edited: Jan 10, 2015

    alex0002 macrumors 6502

    Jun 19, 2013
    New Zealand
    From Thunderstrike allows anyone with even brief access to install stealthy malware.


    I believe that something similar was posted in the iMac forum discussing a Thunderbolt security issue in 2012. The post by snare was quite interesting, but it appears that the attack has been developed since the last discussion.

    While it would seem that physical access is needed, there might be a number of possible attack scenarios:

    1. iMac or other non portable Mac in a office where cleaners and other staff have access.
    2. User operates portable Mac in office or other shared space, but doesn't keep in sight at all times.
    3. User purchases a used Mac including a shop demo.
    4. User purchases refurbished Mac - can we be sure that Apple checks/reflashes firmware during the refurb process?
    5. User purchases or attaches a used or untrusted Thunderbolt device.

    More technical details here:

    Hour long presentation on the talk describing the reverse engineering process and details here:

    The video covers the same ground as the annotated version of the presentation, but helps if you want a better understanding of a complex (for most people) topic.
  2. jayducharme macrumors 68040


    Jun 22, 2006
    The thick of it
    Just saw another article about this. It looks pretty bad. But someone has to get physical access to your Mac. Apple will probably find a way to correct this over time. I just wonder how long it will take. And I also wonder whether it's completely an Apple problem, or whether there's something on Intel's end that will need to be fixed.
  3. alex0002, Jan 10, 2015
    Last edited: Jan 10, 2015

    alex0002 thread starter macrumors 6502

    Jun 19, 2013
    New Zealand
    Physical access to the Mac would be the obvious method and there were several methods mentioned in the Thunderstrike presentation, but physical access to the Thunderbolt monitor or another Thunderbolt device might be just at good.

    Using a thunderbolt monitor would be ideal, as it could be programmed to intermittently display something like:

    Timeout error:
    Please reboot your computer.
    But it might not need to be an actual thunderbolt monitor. The presentation mentions an overhead projector with an ALLOYVIPER decoy VGA adapter.

    Here is another scenario:

    1. You work in an office with a shared Thunderbolt monitor or some other Thunderbolt device.
    2. One Mac in the office becomes infected with malware through an unpatched OS X vulnerability or social engineering.
    3. The infected Mac flashes the shared Thunderbolt monitor.
    4. You connect your macbook and if you boot while connected your macbook firmware is flashed.
    5. In time the whole office is infected and even reformatting all the HDDs / SSDs will not repair the infected machines.
  4. alex0002 thread starter macrumors 6502

    Jun 19, 2013
    New Zealand

Share This Page

3 January 8, 2015