World’s first (known) bootkit for OS X can permanently backdoor Macs

[alex0002]

From arstechnica.net: Thunderstrike allows anyone with even brief access to install stealthy malware.
http://arstechnica.com/security/201...otkit-for-os-x-can-permanently-backdoor-macs/

I believe that something similar was posted in the iMac forum discussing a Thunderbolt security issue in 2012. The post by snare was quite interesting, but it appears that the attack has been developed since the last discussion.

Because it's independent of the operating system and hard drive, it will survive both reformatting and OS reinstallation. And since it replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected boot systems.

The Option ROM replaces the RSA encryption key Macs use to ensure only authorized firmware is installed. From there, the Thunderbolt device can install malicious firmware that can't easily be removed by anyone who doesn't have the new key.

While it would seem that physical access is needed, there might be a number of possible attack scenarios:

1. iMac or other non portable Mac in a office where cleaners and other staff have access.
2. User operates portable Mac in office or other shared space, but doesn't keep in sight at all times.
3. User purchases a used Mac including a shop demo.
4. User purchases refurbished Mac - can we be sure that Apple checks/reflashes firmware during the refurb process?
5. User purchases or attaches a used or untrusted Thunderbolt device.

More technical details here:
https://trmm.net/Thunderstrike_31c3

Hour long presentation on the talk describing the reverse engineering process and details here:
https://www.youtube.com/watch?v=5BrdX7VdOr0

The video covers the same ground as the annotated version of the presentation, but helps if you want a better understanding of a complex (for most people) topic.

 

[jayducharme]

Just saw another article about this. It looks pretty bad. But someone has to get physical access to your Mac. Apple will probably find a way to correct this over time. I just wonder how long it will take. And I also wonder whether it's completely an Apple problem, or whether there's something on Intel's end that will need to be fixed.

 

[alex0002]

Just saw another article about this. It looks pretty bad. But someone has to get physical access to your Mac. Apple will probably find a way to correct this over time. I just wonder how long it will take. And I also wonder whether it's completely an Apple problem, or whether there's something on Intel's end that will need to be fixed.

Physical access to the Mac would be the obvious method and there were several methods mentioned in the Thunderstrike presentation, but physical access to the Thunderbolt monitor or another Thunderbolt device might be just at good.

Using a thunderbolt monitor would be ideal, as it could be programmed to intermittently display something like:

Timeout error:
Please reboot your computer.

But it might not need to be an actual thunderbolt monitor. The presentation mentions an overhead projector with an ALLOYVIPER decoy VGA adapter.

Here is another scenario:

1. You work in an office with a shared Thunderbolt monitor or some other Thunderbolt device.
2. One Mac in the office becomes infected with malware through an unpatched OS X vulnerability or social engineering.
3. The infected Mac flashes the shared Thunderbolt monitor.
4. You connect your macbook and if you boot while connected your macbook firmware is flashed.
5. In time the whole office is infected and even reformatting all the HDDs / SSDs will not repair the infected machines.

 

[alex0002]

Update: It looks like a fix might be coming in 10.10.2.
http://arstechnica.com/security/201...rstrike-bootkit-exploit-in-next-os-x-release/