The MagSafe2 port, from left, two Thunderbolt ports, a USB 3 port and headphone port (top),
SDXC Cardslot, HDMI port, and USB 3 port (bottom), on Apple's MacBook Pro.
Similar mage from Apple Inc. substituted for original Getty Image on article site.
Posted on 01/08/2015 7:21:49 PM PST by Swordmaker
According to a recent security presentation, attackers could infect Macintosh computers with a special kind of malware using the computer's Thunderbolt port.
The attack, dubbed Thunderstrike, was showcased by security researcher Trammell Hudson at the Chaos Communications Congress in Germany. Hudson is well known in the security community, particularly for his work reverse-engineering various devices and systems.
You can watch Hudson's entire presentation and read an annotated version of the talk, but the gist is that the attack takes advantage of a Thunderbolt flaw that allows custom code — like a bootkit — to be written to the system using Thunderbolt port.
Thunderstrike takes advantage of a flaw in the Thunderbolt Option ROM that was first disclosed in 2012. Hudson's proof-of-concept goes a number of steps further (past attempts to exploit the flaw by writing new code to the ROM at boot left researchers with bricked machines).
Ultimately, it shows that an attacker could use the Thunderbolt port to install a custom bootkit Ultimately, it shows that an attacker could use the Thunderbolt port to install a custom bootkit. This bootkit could even replicate itself to any other Thunderbolt-attached device, which means it could spread across networks.
The scary thing is that because this code is in its own separate ROM, the attack can't be stopped by re-installing OS X or swapping out the hard drive.
Hudson even showed that he cold replace the cryptographic keys Apple uses for signing firmware with another key, which would prevent future legitimate firmware updates from being installed.
Scary, but there is some good news
Hudson's work is impressive, if scary. Anytime there are vulnerabilities at the lowest levels of system access, users should be concerned about potential threats.
That said, regular users don't need to fear Thunderstrike. As far as Hudson knows, there are no Mac firmware bootkits in the wild. Right now, it exists only as a proof-of-concept.
Apple has already patched part of the vulnerability in the most recent Mac mini and on the iMac with 5K Retina Display.
It should also be noted that this sort of exploit requires physical access to a machine. You can't download the malware through other software.
That said, the nature of this sort of vulnerability just highlights that computer security is as much about access control as it is about passwords and hardened software.
If you want on or off the Mac Ping List, Freepmail me.
Greater functionality (like loading code through a port) is always paired with potential security issues. Sounds like Apple is addressing them.
It's an interesting demo, but I wouldn't spend a millisecond worrying about it, as long as the machine isn't being physically attacked.
Please disregard my prior post, Everyone.
As far as is known, this exploit is NOT in the wild at this time. . . but now that it has been demonstrated, it is only a matter of time. The saving grace is that it requires the malicious hacker to have physical access to your computer to accomplish this hack. . . but once it is done, there is NO WAY for the user to know it was done! There is no way for the user to recover aside from having the system ROMs re-flashed. . . which is something very difficult to do. Don't let your maid have access to your computer. LOL. . . of trust your household workers very well. . . not to mention your friends!
It is possible that the NSA knows about this already. . . and could have compromised computers. However, there were already means to do this without involving Thunderbolt if one had physical access to the computer. For example, with physical access, hardware bugs could be installed in the computer, mouse, cables or keyboard that would accomplish the same things. This is just one more level more sneaky.
Very interesting. The chances are non-zero that a malicious manufacturer, or a manufacturer whose production line has been compromised, could produce Thunderbolt products that might fit that description. They wouldn't even have to persuade the user -- hell, the user would pay for the privilege of getting pwned, by purchasing the compromised device.
Hmmmm. Maybe I'll reconsider my comment above....
Your question was a good one. It deserved an answer.
Thank You ... Lord, we’ll never round up all the suspects ... Don’t want to be an alarmist so will remain quiet as best as can ... which usually isn’t too quiet. Appreciate the info!
This article’s got me wondering about potential USB exploit vulnerabilities on shared computers at, for example, your local library. My local branch kept having its wifi ID changed by the kids until I showed the librarian how to set the router’s admin password to something other than the factory default.
It would not happen for long. . . the reviewers would discover the ploy and the company who was selling such a device would be sued out of business. Apple is closing the vulnerability even as we speak by doing certificate and check-sum checking routines on something that had not been thought necessary before. That should put a stop to this particular approach. They are also closing off changing of the ROMs during boot up of Thunderbolt devices to further close the door to this exploit. All common sense revisions to the system.
I wonder if anyone has gone through the USB and other ports looking for similar possibilities with a fine-tooth comb? I note that someone has discovered that Android devices using Thunderbolt are also susceptible to this exploit as it is inherent in the Thunderbolt standard developed by Intel. That probably means that any computer using a Thunderbolt interface has the same problem.
LOL!
Swordmaker, I know your business involves all the operating systems, and that you are our go-to-guy when we get in trouble, or are scared by all the FUD being tossed around out there in the wild west of the internet.
I have a question. It seems to me that there is a ratcheting up of all these “scare” articles about Macs/Apple/and their OS. I am wondering why.
This is probably a philosophical or political question, and may be impossible to answer. But, do you have any opinions?
Could it be related to Apple’s decision to make it impossible for .gov to get our info from them? Or, do they not pay enough in “tribute” to .gov? Or, is it just corporate competition between “brands”?
I just can’t understand the food fights on FR over the choice of which Computer/Operating System to use. It is as bad as “the Hatfields and McCoys”, and equally pointless, since people and businesses have uniquely different budgets, requirements, and needs. One size or system cannot work for all.
Your thoughts would be much appreciated.
I’ve seen speculation that e-cigarettes plugged into a USB port for charging could be used to infect a machine. Since I only charge mine with an AC charger, I can only hope that PG&E doesn’t pick up any malware from it. :=)
The last ID that the kids set was “My butt claps”. Things could have gotten much, much worse.
i’m good.....:o)
Stay Safe ........
You’re right about physical access, but most users don’t think that plugging in that new external hard drive they just bought could be a security risk. Back a few months ago when FTDI was threatening to brick machines using counterfeit USB chips, they were concerned with IP and lost revenue from counterfeiters, but the reality is, if a work-alike device can masquerade as a USB controller, it can do other evil things if someone wanted to. Old-fashioned serial and parallel ports had to be polled but starting with USB and now Thunderbolt, it’s a different ballgame.
You, Sir, said a mouthful with that. I've seen with my own eyes what an infected USB Flash drive can do, instantly and silently; fortunately it was plugged into the company's air-gapped "Quarantine Machine" because it was of unknown provenance. And right we were. The anti-virus on the QM picked up an attempt to write to the boot sector of the hard drive.
Correct me if am wrong ... Are we looking at chinese production lines, thereby any cpu manufactured in china is suspect or eventually will be suspect once wild becomes embedded or technically before embedded occurs? Think know the answer and would answer yes ... thereby Mac is screwed, as are all the Sallys (all cpu’s) out there. Too bad we moved our manufacture base outside. Another sideline for those wishing us harm. Matter of time, exponentially.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.