Now Reading
New Apple Macs Vulnerable to Thunderstrike Bootkit via Thunderbolt

New Apple Macs Vulnerable to Thunderstrike Bootkit via Thunderbolt

by Neil SardesaiDecember 28, 2014

Back in 2011, Apple introduced Thunderbolt, a new I/O technology co-developed with Intel that promised speeds way faster than existing technologies like USB and FireWire. Since then, Thunderbolt has come standard on all Macs, enabling support for high-performance peripherals like Apple’s Thunderbolt Display.

However, security researcher Trammell Hudson has discovered a vulnerability in Apple’s EFI that can allow a malicious Thunderbolt device to flash its own code to the boot ROM (read-only memory). This type of low-level malware, called a “bootkit,” would be very difficult to remove or even detect. Hudson has developed a proof of concept bootkit called “Thunderstrike,” and will demonstrate it at the 31C3 conference on December 29th.

Also read: Watch A Tiny USB Necklace Called “usbdriveby” Hack Into Your Computer

Thunderstrike: Another Thunderbolt Vulnerability

A MacBook Pro with ThunderstrikeThunderstrike requires physical access to the computer, since it uses Thunderbolt as the attack vector. The vulnerability allows for persistent firmware modifications into the EFI boot ROM. Since the malware would operate at such a low, near-hardware level, reinstalling OS X would not remove the bootkit. Replacing the hard drive wouldn’t work either. Furthermore, once installed, the bootkit could be nearly impossible to detect.

“There are neither hardware nor software cryptographic checks at boot time of firmware validity, so once the malicious code has been flashed to the ROM, it controls the system from the very first instruction. It could use SMM, virtualization and other techniques to hide from attempts to detect it.”

Hudson’s proof of concept also replaces Apple’s public RSA key in the ROM. This means that the bootkit could deny firmware updates from Apple, as only updates signed with the bootkit’s private key would be accepted. The bootkit can also record the password entered to decrypt an encrypted boot volume, which can be used by the attacker to gain access into a FileVault-protected hard drive. What’s even more alarming is that Thunderstrike relies in part on an unpatched Thunderbolt vulnerability known for two years.

What Can Mac Owners Do About Thunderstrike Right Now? Not Much.

Encrypting the hard drive obviously has no effect, since the malware wouldn’t be on the hard drive anyway. Macs also support firmware passwords, which prevent the computer from booting into a drive other than the one preinstalled in the computer, booting into single user mode, booting into target disk mode, or resetting the PRAM without a password. However, the Option ROM on the rogue Thunderbolt device is loaded before the firmware password is checked, so a firmware password is no help either. In fact, once the bootkit is installed, it can clear the firmware password. Interestingly, the same technique of installing Thunderstrike can’t be used to replace the modified boot ROM with a clean copy since Hudson’s proof of concept patches the vulnerability as part of replacing the boot ROM.

“A machine infected by the proof-of-concept is no longer vulnerable to itself.”

So at this point, it seems like the best Mac owners can do is watch out for who has physical access to their computers (or smash the Thunderbolt ports if you’re really paranoid). That being said, there are currently no known Mac bootkits “in the wild” aside from Thunderstrike. And since Thunderstrike is mainly a proof of concept, it doesn’t do anything particularly malicious other than changing the firmware lock screen logo.

“While the two year old Thunderbolt Option ROM vulnerability that this attack uses can be closed with a few byte patch to the firmware, the larger issue of Apple’s EFI firmware security and secure booting without trusted hardware is more difficult to fix.”

More details regarding Thunderstrike will be presented at 31C3.

Images from Shutterstock and Trammel Hudson.

Advertised sites are not endorsed by us. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
What's your reaction?
Love it
Hate it
  • somebody

    Ha ha!

  • Timo Bilderberg

    Got goxxed

  • tronspecial

    So … why doesn’t “someone” develop a non-malicious version of this, which fixes the vulnerability (as described in the article) without actually breaking anything else?

    • tronspecial

      (and sell it for much profit to paranoid mac owners)

  • PacketWraith

    I hope this doesn’t surprise anyone. I am a Mac guy, I love my mac book pro. But I am in security too, and for years no one would even hear tale of Mac was vulnerable to a host of things.
    In my mind, this means 2 things.
    1. Mac has finally gained enough market share that people are taking the threat seriously.
    2. Apple may finally have to pay attention and start fixing these things.

  • ł

    Hello , such treacherous loopholes exist for a precise purpose , no honest company really caring about its customers security properly would leave its users Computer·arseholes that wide open . Please , for your own good , picture now an Apple going All the Way up , from behind »O and maybe there are more !