The Threat of Thunderstrike

UPDATED 2/3/15 – When Apple released OS X 10.10.2 a week or so ago, the vulnerability to Thunderstrike was patched!

Those of us who use Macs have been more or less safe from Malware. However as the Mac has grown in popularity recently and the number of Macs in use has risen, we have finally become more of a target. Recently a new attack vector for the Mac has been discovered and it has been named Thunderstrike.

So far this is only a proof of concept discovered by security researcher Trammell Hudson. Apple is reported to be taking this threat seriously and is working on a fix. At present it DOES NOT offer much of a threat to most users.

The Bad – There are several features of Thunderstrike that are serious threats

  1. It is the first known OS X firmware bootkit, there is nothing currently scanning for its presence
  2. It controls the system from power up and can log every keystroke, including disk encryption keys
  3. It can open a backdoor directly into the kernel bypassing firmware passwords
  4. Once it is on your system it is very hard to remove
  5. It can infect subsequent Thunderbolt attached devices, spreading the Malware

The Good – So far this is only a prof of concept. To infect your Mac someone has to:

  1. Have Thunderstrike-enabled hardware — a modified Thunderbolt-to-Ethernet dongle was used in the proof of concept
  2. Have physical access to the Mac under attack
  3. Be able to reboot the Mac so as to modify the system firmware

Action You should take – even though the threat currently is low, you should keep in mind that if your Mac is left alone it could be subject to attack. The most common time this might happen is when traveling and your Mac is left in your hotel room. If you feel that you might be a target, take advantage of the safe in your room to store your Mac when you are out or keep it with you.

How it works – In simple terms when a Mac boots it starts
to run the EFI firmware code in the boot EEPROM. By design, FireWire and Thunderbolt interact with the Mac firmware at a very low level. In this case, if a Thunderbolt device is present with the Thunderstrike Malware at bootup, the system firmware will be overwritten and the system compromised.

References

  1. Macs vulnerable to virtually undetectable virus that “can’t be removed”
  2. Thunderstrike Proof-of-Concept Attack Serious, but Limited
  3. Thunderstrike – Trammell Hudson’s Projects

See my other Mac and Security posts


 


 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.