Apple THUNDERBOLT SECURITY EXPLOIT DANGER Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 01/08/2015 7:21:49 PM PST by Swordmaker
If you want on or off the Mac Ping List, Freepmail me.
Greater functionality (like loading code through a port) is always paired with potential security issues. Sounds like Apple is addressing them.
It's an interesting demo, but I wouldn't spend a millisecond worrying about it, as long as the machine isn't being physically attacked.
Please disregard my prior post, Everyone.
As far as is known, this exploit is NOT in the wild at this time. . . but now that it has been demonstrated, it is only a matter of time. The saving grace is that it requires the malicious hacker to have physical access to your computer to accomplish this hack. . . but once it is done, there is NO WAY for the user to know it was done! There is no way for the user to recover aside from having the system ROMs re-flashed. . . which is something very difficult to do. Don't let your maid have access to your computer. LOL. . . of trust your household workers very well. . . not to mention your friends!
It is possible that the NSA knows about this already. . . and could have compromised computers. However, there were already means to do this without involving Thunderbolt if one had physical access to the computer. For example, with physical access, hardware bugs could be installed in the computer, mouse, cables or keyboard that would accomplish the same things. This is just one more level more sneaky.
Very interesting. The chances are non-zero that a malicious manufacturer, or a manufacturer whose production line has been compromised, could produce Thunderbolt products that might fit that description. They wouldn't even have to persuade the user -- hell, the user would pay for the privilege of getting pwned, by purchasing the compromised device.
Hmmmm. Maybe I'll reconsider my comment above....
Your question was a good one. It deserved an answer.
Thank You ... Lord, we’ll never round up all the suspects ... Don’t want to be an alarmist so will remain quiet as best as can ... which usually isn’t too quiet. Appreciate the info!
This article’s got me wondering about potential USB exploit vulnerabilities on shared computers at, for example, your local library. My local branch kept having its wifi ID changed by the kids until I showed the librarian how to set the router’s admin password to something other than the factory default.
It would not happen for long. . . the reviewers would discover the ploy and the company who was selling such a device would be sued out of business. Apple is closing the vulnerability even as we speak by doing certificate and check-sum checking routines on something that had not been thought necessary before. That should put a stop to this particular approach. They are also closing off changing of the ROMs during boot up of Thunderbolt devices to further close the door to this exploit. All common sense revisions to the system.
I wonder if anyone has gone through the USB and other ports looking for similar possibilities with a fine-tooth comb? I note that someone has discovered that Android devices using Thunderbolt are also susceptible to this exploit as it is inherent in the Thunderbolt standard developed by Intel. That probably means that any computer using a Thunderbolt interface has the same problem.
LOL!
Swordmaker, I know your business involves all the operating systems, and that you are our go-to-guy when we get in trouble, or are scared by all the FUD being tossed around out there in the wild west of the internet.
I have a question. It seems to me that there is a ratcheting up of all these “scare” articles about Macs/Apple/and their OS. I am wondering why.
This is probably a philosophical or political question, and may be impossible to answer. But, do you have any opinions?
Could it be related to Apple’s decision to make it impossible for .gov to get our info from them? Or, do they not pay enough in “tribute” to .gov? Or, is it just corporate competition between “brands”?
I just can’t understand the food fights on FR over the choice of which Computer/Operating System to use. It is as bad as “the Hatfields and McCoys”, and equally pointless, since people and businesses have uniquely different budgets, requirements, and needs. One size or system cannot work for all.
Your thoughts would be much appreciated.
I’ve seen speculation that e-cigarettes plugged into a USB port for charging could be used to infect a machine. Since I only charge mine with an AC charger, I can only hope that PG&E doesn’t pick up any malware from it. :=)
The last ID that the kids set was “My butt claps”. Things could have gotten much, much worse.
i’m good.....:o)
Stay Safe ........
You’re right about physical access, but most users don’t think that plugging in that new external hard drive they just bought could be a security risk. Back a few months ago when FTDI was threatening to brick machines using counterfeit USB chips, they were concerned with IP and lost revenue from counterfeiters, but the reality is, if a work-alike device can masquerade as a USB controller, it can do other evil things if someone wanted to. Old-fashioned serial and parallel ports had to be polled but starting with USB and now Thunderbolt, it’s a different ballgame.
You, Sir, said a mouthful with that. I've seen with my own eyes what an infected USB Flash drive can do, instantly and silently; fortunately it was plugged into the company's air-gapped "Quarantine Machine" because it was of unknown provenance. And right we were. The anti-virus on the QM picked up an attempt to write to the boot sector of the hard drive.
Correct me if am wrong ... Are we looking at chinese production lines, thereby any cpu manufactured in china is suspect or eventually will be suspect once wild becomes embedded or technically before embedded occurs? Think know the answer and would answer yes ... thereby Mac is screwed, as are all the Sallys (all cpu’s) out there. Too bad we moved our manufacture base outside. Another sideline for those wishing us harm. Matter of time, exponentially.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.