Connect with us

Hardware

New Apple Macs Vulnerable to Thunderstrike Bootkit via Thunderbolt

Published

on

Back in 2011, Apple introduced Thunderbolt, a new I/O technology co-developed with Intel that promised speeds way faster than existing technologies like USB and FireWire. Since then, Thunderbolt has come standard on all Macs, enabling support for high-performance peripherals like Apple’s Thunderbolt Display.

// -- Discuss and ask questions in our community on Workplace.

However, security researcher Trammell Hudson has discovered a vulnerability in Apple’s EFI that can allow a malicious Thunderbolt device to flash its own code to the boot ROM (read-only memory). This type of low-level malware, called a “bootkit,” would be very difficult to remove or even detect. Hudson has developed a proof of concept bootkit called “Thunderstrike,” and will demonstrate it at the 31C3 conference on December 29th.

Also read: Watch A Tiny USB Necklace Called “usbdriveby” Hack Into Your Computer

Thunderstrike: Another Thunderbolt Vulnerability

A MacBook Pro with ThunderstrikeThunderstrike requires physical access to the computer, since it uses Thunderbolt as the attack vector. The vulnerability allows for persistent firmware modifications into the EFI boot ROM. Since the malware would operate at such a low, near-hardware level, reinstalling OS X would not remove the bootkit. Replacing the hard drive wouldn’t work either. Furthermore, once installed, the bootkit could be nearly impossible to detect.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

“There are neither hardware nor software cryptographic checks at boot time of firmware validity, so once the malicious code has been flashed to the ROM, it controls the system from the very first instruction. It could use SMM, virtualization and other techniques to hide from attempts to detect it.”

Hudson’s proof of concept also replaces Apple’s public RSA key in the ROM. This means that the bootkit could deny firmware updates from Apple, as only updates signed with the bootkit’s private key would be accepted. The bootkit can also record the password entered to decrypt an encrypted boot volume, which can be used by the attacker to gain access into a FileVault-protected hard drive. What’s even more alarming is that Thunderstrike relies in part on an unpatched Thunderbolt vulnerability known for two years.

What Can Mac Owners Do About Thunderstrike Right Now? Not Much.

Encrypting the hard drive obviously has no effect, since the malware wouldn’t be on the hard drive anyway. Macs also support firmware passwords, which prevent the computer from booting into a drive other than the one preinstalled in the computer, booting into single user mode, booting into target disk mode, or resetting the PRAM without a password. However, the Option ROM on the rogue Thunderbolt device is loaded before the firmware password is checked, so a firmware password is no help either. In fact, once the bootkit is installed, it can clear the firmware password. Interestingly, the same technique of installing Thunderstrike can’t be used to replace the modified boot ROM with a clean copy since Hudson’s proof of concept patches the vulnerability as part of replacing the boot ROM.

“A machine infected by the proof-of-concept is no longer vulnerable to itself.”

So at this point, it seems like the best Mac owners can do is watch out for who has physical access to their computers (or smash the Thunderbolt ports if you’re really paranoid). That being said, there are currently no known Mac bootkits “in the wild” aside from Thunderstrike. And since Thunderstrike is mainly a proof of concept, it doesn’t do anything particularly malicious other than changing the firmware lock screen logo.

“While the two year old Thunderbolt Option ROM vulnerability that this attack uses can be closed with a few byte patch to the firmware, the larger issue of Apple’s EFI firmware security and secure booting without trusted hardware is more difficult to fix.”

More details regarding Thunderstrike will be presented at 31C3.

Images from Shutterstock and Trammel Hudson.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

6 Comments

6 Comments

  1. somebody

    December 28, 2014 at 9:26 am

    Ha ha!

  2. Timo Bilderberg

    December 28, 2014 at 9:24 pm

    Got goxxed

  3. tronspecial

    December 29, 2014 at 7:58 pm

    So … why doesn’t “someone” develop a non-malicious version of this, which fixes the vulnerability (as described in the article) without actually breaking anything else?

    • tronspecial

      December 29, 2014 at 7:58 pm

      (and sell it for much profit to paranoid mac owners)

  4. PacketWraith

    January 2, 2015 at 2:04 pm

    I hope this doesn’t surprise anyone. I am a Mac guy, I love my mac book pro. But I am in security too, and for years no one would even hear tale of Mac was vulnerable to a host of things.
    In my mind, this means 2 things.
    1. Mac has finally gained enough market share that people are taking the threat seriously.
    2. Apple may finally have to pay attention and start fixing these things.

  5. ł

    January 2, 2015 at 4:04 pm

    Hello , such treacherous loopholes exist for a precise purpose , no honest company really caring about its customers security properly would leave its users Computer·arseholes that wide open . Please , for your own good , picture now an Apple going All the Way up , from behind »O and maybe there are more !

You must be logged in to post a comment Login

Leave a Reply

Cybersecurity

Israeli Researchers Turn Speakers/Headphones Into Eavesdropping Microphones

Published

on

In the current age, even the most secure software and the best security practices might not be enough to prevent someone from being spied upon. Researchers continue to find novel and inventive ways to gather more data on everyday computer users, and the latest research from Israel’s Ben Gurion University is exceptional in this regard.

// -- Discuss and ask questions in our community on Workplace.

Using software alone, Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, and Yuval Elovici were able to convert a given pair of headphones or speakers into Orwellian microphones beyond the user’s control or ability to patch. Their method [PDF] exploits a flaw in RealTek hardware chips, which are one of the most widely used chips in motherboards around the world. Companies like Dell, HP, and Compaq regularly utilize RealTek’s industry standard audio chips in their products. Beyond that, motherboards sold to consumers wishing to build their own systems often also include the hardware.

A simple patch or firmware upgrade will not fix this flaw, making the exploit particularly delightful to intelligence agencies, profit-motivated hackers (think boardroom conference calls), and others. Basically, anywhere a computer has an audio output, which in the case of laptops is everywhere, audio can now be intercepted and then relayed with roughly the same quality as if a microphone itself had been compromised. The images of people like Mark Zuckerberg covering up their webcam and microphone with electrical tape now seem trivial.

Jack re-tasking – the process of converting an output jack to either an input or a two-way port – has long been a possibility, but few developers make use of it. Most laptops and desktops will have separate ports for each, while smartphones and the like often require hardware that can do both. But the innovation on the part of Ben Gurion’s researchers involves making any regular output hardware capable of doing as much with only software. They write:

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

The fact that headphones and earphones are physically built like microphones, coupled with the fact that an audio port’s role in the PC can be altered programmatically from output to input, creates a vulnerability which can be abused by hackers.

The researchers noticed that the design of most audio input and output hardware was basically identical at the metal, drawing the following illustration for clarification:

Source: Ben-Gurion University of the Negev Cyber Security Research Center

Source: Ben-Gurion University of the Negev Cyber Security Research Center

One saving grace is that the audio output device must be “passive,” or unpowered. This means that if your speakers require power to work, they are not currently able to use these to listen to you. However, the vast majority of laptop speakers and earbuds are, by nature and necessity, passive. The researchers note that while they focused on RealTek codec hardware because of their popularity, other manufacturers also have the ability to retask jacks, which is the heart of the exploit.

While this may seem scary at first, it should be noted that, like anything else on your computer, audio input and output are data. They can therefore be encrypted with keys that are local to the machine, and it would seem that this new exploit opens up a new avenue of research for cryptographic researchers to institute audio encryption in the same way that full-disk encryption has become normalized.

Here is a demonstration of the method in action:

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Electronics

Chinese Physicists Achieve Record-Breaking Quantum Cryptography Breakthrough

Published

on

Researchers at the University of Science and Technology of China and other Chinese labs, with the collaboration of a lab in the US, have implemented a secure quantum protocol known as Measurement-Device-Independent Quantum Key Distribution (MDIQKD), suitable for practical networks and devices, over a distance of 404 km. The breakthrough, which doubles the previous MDIQKD record, opens the door to secure wide area quantum communication networks.

// -- Discuss and ask questions in our community on Workplace.

(more…)

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Electronics

Dot: Precision Tracking Hardware Makes Your Smartphones Smarter

Published

on

Dot

A team of five Berkeley engineers has developed a new hardware product that utilizes precision location tracking to make smartphone notifications highly intelligent and contextual.

// -- Discuss and ask questions in our community on Workplace.

In the technology-minded world that we live in it’s nearly impossible to walk down the street without encountering someone on their phone. However, with the amount of information that we store in our phones it can be difficult to filter out what’s important and what’s not.

This is where Dot enters the scene.

Dot

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

Developed by startup Iota Labs, Dot is a physical push notification that informs your smartphone where you are so that it can determine your patterns and behaviors in the locations that make up your world. This could be your living room, bedroom, place of work, car, or garage.

The team behind the creation have made it so that it serves a dual purpose. The first is to provide ultra-precise location data to your smartphone. The second is to permit users to create extensible, interactive interfaces anywhere.

Speaking to Hacked, Rahul Ramakrishnan, co-founder of Iota Labs, said that the idea behind Dot came up over a year ago through a combination of two events. The first was when he and a fellow co-founder of Iota Labs were at a restaurant and witnessed a family constantly checking their phones instead of paying attention to each other.

He said:

Then we watched 2001: A Space Odyssey with Hal 9000 and thought that it would be awesome if there was some sort of personal secretary that streamlines your life and your phone.

After getting into the Foundry in October 2015, a startup accelerator on Berkeley’s campus focused on hardware startups, the team at the time were only undergraduate students where they received some funding from the Foundry team to make their idea a possibility.

Dot

From October to May, the team focused on the product development and from June 2016 they turned their attention to their Kickstarter campaign for an August launch. At the close of their Kickstarter campaign yesterday, the team managed to raise over $115,000 with more than 1,700 backers, and according to Ramakrishnan, nearly 5,000 units have been pre-ordered.

He said:

Our product is out there and people seem to like [it].

How Does It Work?

While the idea behind Dot may not have taken long to design, the execution of it took the team around nine months to make in order to achieve the small size of it. Within the small piece of hardware, though, is a Bluetooth low energy chip and LED. Due to the proximity sensor within the Dot, it can track your location within 200 feet of range of your smartphone as it communicates with iOS and Android apps.

dot-app

According to Ramakrishnan, the Dot acts as a beacon that triggers functions on a smartphone such as notifications or app launching. A smartphone can also communicate to the Dot by turning on the LED to different colors or changing the blink rates, based on what is set on the app.

Ramakrishnan added:

All of this occurs when you are within range of a Dot and triggers actions on your phone, making it contextual and intelligent.

What Does It Do?

As most people tend to have different uses for their phone, the team at Dot realized that they needed to ensure that Dot was equipped with an endless amount of applications to fulfil people’s needs.

DotSome of the applications Dot has are: digital post-it notes, which allows you to post a message on a Dot for another person to see when they come in range; smart home control that gives you control over your home devices such as turning a light on or off; contextual app launching that enables the Dot to open up apps on your smartphone that you utilize frequently in certain areas; location notification, which allows a Dot to enable a smartphone to send you updates when you walk into a new area; and LED colour changes, which permits a Dot to track certain reminders based on the color of the dot.

The team is hoping that with the use of the Dot it will help to streamline people’s lives by eliminating the clutter that a smartphone provides.

Ramakrishnan stated:

This will free the user to take action only when it’s readily available based on where they are and what they are doing rather than being overwhelmed with all of their tasks that are on their phone.

Not only that, but compared to many things available the Dot is considerably cheaper that adds to the functionality and ease of existing technology.

The smart home is dominated by these $200 devices like Philips Hue light bulbs and Nest thermostats that don’t know who you are, where you are, and what you are doing. With just a $25 Dot, all of these questions can be answered and can greatly improve the experience of the smart home without any additional user input.

Ramakrishnan added that every notification you receive from Dot means that it’s important. “You don’t have to sort through your notifications any longer. With Dot, we make your smartphone smarter.”

The team is expecting to ship Dot’s to their Kickstarter backers in March 2017 with pre-orders still accepted on the website.

Featured image and story images from Iota Labs.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Recent Comments

Recent Posts

A part of CCN

Trending