Trammell Hudson (@qrs) developed the Thunderstrike exploit based on inherent security issues with the way Apple validates, updates, and boots from the boot ROM. The exploit takes advantage of the fact that Apple allows secure booting without hardware (software checks the ROM, but doesn’t perform a checksum!). Since the Thunderbolt port provides a way to get code running when the system boots, it is possible to modify the boot ROM code.
Update 1/27/2015: Looks like Apple is patching the Boot ROM issue that Thunderstrike exploits in Mac OS X 10.10.2 (Yosemite). When 10.10.2 is available, update ASAP!
Trammell Hudson also did quite a bit of work on Canon camera firmware which led to him releasing Magic Lantern in 2009 which adds additional functionality to Canon cameras. Certainly, he has with a bit of experience with hardware hacking. 🙂
“Magic Lantern is not a “hack”, or a modified firmware, it is an independent program that runs alongside Canon’s own software. Each time you start your camera, Magic Lantern is loaded from your memory card. Our only modification was to enable the ability to run software from the memory card.”
Trammell’s presentation is fantastic! Watch the video.
He describes Thunderstrike on his website:
Thunderstrike is the name for the Apple EFI firmware security vulnerability that allows a malicious Thunderbolt device to flash untrusted code to the boot ROM. It was presented at 31c3 and the you can read an annotated version of the presentation or watch the hour long video.
Thunderstrike is worse than BadUSB and affects Apple MacBooks (Pro/Air/Retina) with Thunderbolt ports.
Thunderstrike in its current form has been effective against every MacBook Pro/Air/Retina with Thunderbolt that I’ve tested, which is most models since 2011. The proof of concept is hardcoded for the 10,1 system, but the underlying vulnerability seems to be present and is independent of OS X version. Weaponization to attack all the different models is within the means of a dedicated attacker.
Thunderstrike Key Points:
- Exploiting a Mac with Thunderstrike requires momentary physical access to plug a specially designed dongle into the Thunderbolt port. Think “evil maid” cleaning your hotel room while you are at breakfast.
- You can have an encrypted hard drive and a boot up password as well as other best practice security methods in place. Thunderstrike bypasses all of these.
- It can infect Thunderbolt devices in order to propagate. This is one measure that could be leveraged to attack air-gapped networks.
“The Thunderstrike bootkit is also in a position to be able to flash new Option ROMs into attached Thunderbolt devices with its own exploit. Like Stuxnet, this capability allows it to spread virally across air-gap security perimeters through shared peripheral devices. Since so few users need the Option ROMs, the device remains fully functional, despite carrying the malicious payload. Implementing this functionality would need a minor amount of work to weaponize and port to various devices, but an attacker of modest means could easily do so.“
- FileVault keys and passwords for encrypted boot volumes can be extracted.
- This exploit can install an undetectable and unremovable bootkit that persists through hard drive replacement and OS reinstall.
- RSA public keys are changed in the boot ROM preventing replacement by Apple’s firmware update programs. Apple software updates can’t remove it.
- Since it modifies code used to boot the system, every method used to detect it at or after boot time can be subverted.
- One installed, the Thunderstrike bootkit can not be removed by software. A hardware in-system-programming device is the only way to restore the stock firmware.
- There is no cryptographic check of the boot ROM (and no hardware TPM chip), only a software-based boot-time crc32. This does not provide security validation only verifies successful flashing of the ROM.
- This is not a DMA attack – it uses a PCIe Option ROM at boot time to launch the attack against the firmware update system.
- This is not the “Option ROM” attack, but Thunderbolt Option ROMs can help in flashing new firmware of the attacker’s choosing by circumventing flash security.
“The Option ROM attacks works like this: a Thunderbolt device that has been flashed with the exploit is plugged in and the system booted. The attacker’s code can hook any EFI or OS functions and do things like bypass firmware passwords, log keystrokes, install kernel backdoors, etc. This is the evil-maid attack described by Snare over two years ago, although this is not Thunderstrike: while an attacker can install a root kit to the drive, the Option ROM was loaded too late from the external device to be able to rewrite the ROM.”
- Supply chain attack – every MacBook your company purchases could be compromised and you would never know it.
Thunderstrike Overview:
Continue reading
Recent Comments