Thunderstrike - firmware bootkit for Macs
January 16, 2015 8:37 PM   Subscribe

Thunderstrike - firmware bootkit for Macs
At 31C3 I presented Thunderstrike (1 hour video), an proof of concept exploit against an EFI security vulnerability that allows an attacker to write possibly malicious code in the boot ROM of MacBooks via the Thunderbolt port. The bootkit can be easily installed by an evil-maid or border-crossing agent given a few minutes alone with the laptop, regardless of firmware passwords or disk encryption, and can survive reinstallation of OSX as well as hard drive replacements. Once installed, it can hide from attempts to detect it, prevent software attempts to remove it and spread virally across air-gaps by infecting additional Thunderbolt devices.

I've written a FAQ and compiled a list of media writeups. Of those, Rich Mogull wrote a well written two part article, the first of which, Thunderstrike Proof-of-Concept Attack Serious, but Limited, pointed out how unlikely such an attack was against normal users, and the second, Your Risk Isn’t My Risk, in which he describes how this sort of vulnerability could be used in a targeted attack. One of the best tl;dr descriptions was by Kaspersky:
There is no room for doubt here: Thunderstrike, like all boot- and rootkits, is a nasty threat that can wrest control over everything you do on your computer. You can think of it as the Ebola of computer threats: catching the disease carries devastating consequences, but the likelihood of becoming infected is relatively small.
Role: Programmer
posted by autopilot (7 comments total) 5 users marked this as a favorite

Oh, hey! I saw and really enjoyed this talk, but didn't realize you were a mefite. Excited to play around and see if I can make the option ROM-disabling firmware modification you mention.

On that note, I got the impression from your talk and Q&A that no even remotely modern devices actually use this feature... do you have any idea why Apple continues to leave the "feature" in? Is there actually a case for backwards compatibility?
posted by caaaaaam at 1:45 PM on January 17, 2015

I'm really not sure why they leave the feature in. The device I used in my demo, the Gigabit adapter, already has the driver bundled in the boot ROM, so the Option ROM is unused. Likewise the GPU and SATA controller (in the SSD) don't use their Option ROMs.

Those devices worry me, since they are installed in many systems. A root exploit could conceivably write malicious code into the GPU or SSD's Option ROM, trigger a reboot and install itself into the boot ROM. That would escalate from an evil-maid attack used against high value targets to potentially a much wider, less discriminate infection.
posted by autopilot at 3:56 PM on January 17, 2015

Ever think what you could accomplish if you decided to use your powers for good?

Or, seriously, is there any fear that now that you have put this out there others will use it for evil?
posted by cjorgensen at 11:19 AM on January 20, 2015

Good work! I'm also surprised you're a mefite!
posted by Pronoiac at 11:08 PM on January 23, 2015

Ever think what you could accomplish if you decided to use your powers for good?

Or, seriously, is there any fear that now that you have put this out there others will use it for evil?

It's entirely possible that others already were using it, but now we, and Apple, know about it, the vulnerability can be dealt with. This is how computer security works.
posted by zamboni at 11:26 AM on January 26, 2015 [1 favorite]

Apple has released a new version of Yosemite, so I've added a FAQ about to answer if Thunderstrike is fixed in 10.10.2?:
This change does prevent the current proof of concept of Thunderstrike from being able to rewrite the ROMs. The change log does not mention downgrade prevention, although reports in the media are that this boot ROM version will prevent rolling back to vulnerable versions. All pre-Yosemite machines remain vulnerable to Thunderstrike unless Apple releases firmware updates for them as well.
However, this firmware version is still vulnerable to Snare's 2012 attack against boot.efi since the systems will continue to load Option ROMs from attached Thunderbolt devices during normal boots. This means that a customs official or other evil-maid attacker can still install bypass firmware passwords and install backdoors into your system before OS X is started.
I'm not sure why there isn't a way to disable Option ROMs (and preferably all PCIe functions) on the Thunderbolt port for security conscious users. And, without hardware modifications to verify the bootrom, the machines are still potentially vulnerable to having someone re-write the SPI flash chip via an in-system programmer. That particular attack is really unlikely other than targeted access operations, so perhaps they don't feel it is necessary to protect against.
posted by autopilot at 6:19 PM on January 29, 2015

This attack may be *already* been being used for evil. The NSA has a specific project to build exploits like this which aims to be able to exploit everything. The idea that they wouldn't have put a team on one of the most widely used portable computing platforms out there is ludicrous. This, or another attack would already be in their arsenal.
posted by pharm at 1:26 AM on January 30, 2015 [1 favorite]

« Older & you should...   |   Closet... Newer »

You are not currently logged in. Log in or create a new account to post comments.