Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thunderbolt Rootkit Vector

Posted by Soulskill on from the like-USB-but-better dept.

New submitter Holi sends this news from PC World: Attackers can infect MacBook computers with highly persistent boot rootkits by connecting malicious devices to them over the Thunderbolt interface. The attack, dubbed Thunderstrike, installs malicious code in a MacBook's boot ROM (read-only memory), which is stored in a chip on the motherboard. It was devised by a security researcher named Trammell Hudson based on a two-year old vulnerability and will be demonstrated next week at the 31st Chaos Communication Congress in Hamburg.

6 of 163 comments (clear)

  1. Re:uh - by design? by _xeno_ · · Score: 3, Informative

    Well, yes, if you can rip open the computer case and install new hardware, you have complete control over the hardware and that's to be expected.

    Thunderbolt is more like USB to the user - it's a thing you use to connect untrusted devices to your system. You wouldn't expect that plugging in a USB thumbdrive would magically own your system (well, maybe you should, because it's happened in the past, but I think it's fair to say that it shouldn't). You'd think that plugging in a random Thunderbolt device would be designed to be safe. Apparently not: apparently Thunderbolt is unsafe by design.

    The one mitigating factor is that literally no one uses Thunderbolt for anything, so it's not like anyone's likely to be coming across random compromised Thunderbolt devices. Discovering a Thunderbolt device at all would be out of the ordinary.

    --
    You are in a maze of twisty little relative jumps, all alike.
  2. Re:ROM by Fwipp · · Score: 4, Informative

    Well, you're pretty wrong: https://trmm.net/EFI

    This allows an attacker with physical access to the machine to write untrusted code to the SPI flash ROM on the motherboard and creates a new class of firmware bootkits for the MacBook systems.

    Our proof of concept bootkit also replaces Apple's public RSA key in the ROM and prevents software attempts to replace it that are not signed by the attacker's private key. Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the harddrive has no effect. A hardware in-system-programming device is the only way to restore the stock firmware.

  3. Pretty cool vulnerability but.. by Severus+Snape · · Score: 3, Informative

    If I have physical access to your machine, I'm going to get you one way or another.

  4. Re:uh - by design? by maccodemonkey · · Score: 3, Informative

    Thunderbolt is more like USB to the user - it's a thing you use to connect untrusted devices to your system. You wouldn't expect that plugging in a USB thumbdrive would magically own your system (well, maybe you should, because it's happened in the past, but I think it's fair to say that it shouldn't). You'd think that plugging in a random Thunderbolt device would be designed to be safe. Apparently not: apparently Thunderbolt is unsafe by design.

    USB 3.0 has this exact same feature (DMA), so yes, yes you should expect a USB thumb drive to be able to do this.

  5. Re:uh - by design? by Holi · · Score: 5, Informative

    It can. See BadUSB.

    --
    Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
  6. Re:uh - by design? by aitikin · · Score: 3, Informative

    The one mitigating factor is that literally no one uses Thunderbolt for anything, so it's not like anyone's likely to be coming across random compromised Thunderbolt devices. Discovering a Thunderbolt device at all would be out of the ordinary.

    You're obviously not in the pro audio world.

    --
    "Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve