Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thunderbolt Rootkit Vector

Posted by Soulskill on from the like-USB-but-better dept.

New submitter Holi sends this news from PC World: Attackers can infect MacBook computers with highly persistent boot rootkits by connecting malicious devices to them over the Thunderbolt interface. The attack, dubbed Thunderstrike, installs malicious code in a MacBook's boot ROM (read-only memory), which is stored in a chip on the motherboard. It was devised by a security researcher named Trammell Hudson based on a two-year old vulnerability and will be demonstrated next week at the 31st Chaos Communication Congress in Hamburg.

2 of 163 comments (clear)

  1. Re:ROM by Fwipp · · Score: 4, Informative

    Well, you're pretty wrong: https://trmm.net/EFI

    This allows an attacker with physical access to the machine to write untrusted code to the SPI flash ROM on the motherboard and creates a new class of firmware bootkits for the MacBook systems.

    Our proof of concept bootkit also replaces Apple's public RSA key in the ROM and prevents software attempts to replace it that are not signed by the attacker's private key. Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the harddrive has no effect. A hardware in-system-programming device is the only way to restore the stock firmware.

  2. Re:uh - by design? by Holi · · Score: 5, Informative

    It can. See BadUSB.

    --
    Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.