Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thunderbolt Rootkit Vector

Posted by Soulskill on from the like-USB-but-better dept.

New submitter Holi sends this news from PC World: Attackers can infect MacBook computers with highly persistent boot rootkits by connecting malicious devices to them over the Thunderbolt interface. The attack, dubbed Thunderstrike, installs malicious code in a MacBook's boot ROM (read-only memory), which is stored in a chip on the motherboard. It was devised by a security researcher named Trammell Hudson based on a two-year old vulnerability and will be demonstrated next week at the 31st Chaos Communication Congress in Hamburg.

39 of 163 comments (clear)

  1. uh - by design? by Nerrd · · Score: 4, Insightful

    It shouldn't surprise anybody that a malicious PCI-E card can access a system.

    1. Re:uh - by design? by _xeno_ · · Score: 3, Informative

      Well, yes, if you can rip open the computer case and install new hardware, you have complete control over the hardware and that's to be expected.

      Thunderbolt is more like USB to the user - it's a thing you use to connect untrusted devices to your system. You wouldn't expect that plugging in a USB thumbdrive would magically own your system (well, maybe you should, because it's happened in the past, but I think it's fair to say that it shouldn't). You'd think that plugging in a random Thunderbolt device would be designed to be safe. Apparently not: apparently Thunderbolt is unsafe by design.

      The one mitigating factor is that literally no one uses Thunderbolt for anything, so it's not like anyone's likely to be coming across random compromised Thunderbolt devices. Discovering a Thunderbolt device at all would be out of the ordinary.

      --
      You are in a maze of twisty little relative jumps, all alike.
    2. Re:uh - by design? by darkain · · Score: 4, Insightful

      DisplayPort monitor pre-infected with malware?

    3. Re:uh - by design? by maccodemonkey · · Score: 3, Informative

      Thunderbolt is more like USB to the user - it's a thing you use to connect untrusted devices to your system. You wouldn't expect that plugging in a USB thumbdrive would magically own your system (well, maybe you should, because it's happened in the past, but I think it's fair to say that it shouldn't). You'd think that plugging in a random Thunderbolt device would be designed to be safe. Apparently not: apparently Thunderbolt is unsafe by design.

      USB 3.0 has this exact same feature (DMA), so yes, yes you should expect a USB thumb drive to be able to do this.

    4. Re:uh - by design? by jeffb+(2.718) · · Score: 4, Insightful

      Thunderbolt is more like USB to the user - it's a thing you use to connect untrusted devices to your system.

      Thunderbolt is more like PCIe to the system -- it's a thing you use to connect trusted devices to your system. In fact, it is PCIe, along with DisplayPort.

      The one mitigating factor is that, while there are Thunderbolt devices out there, users are less likely to find one lying in the company parking lot and decide "durr, let me plug this into my work computer and see what's on it". That seems to be a pretty effective delivery method for hostile USB devices.

    5. Re:uh - by design? by Holi · · Score: 5, Informative

      It can. See BadUSB.

      --
      Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
    6. Re:uh - by design? by Anonymous Coward · · Score: 2, Insightful

      It doesn't even have to be a whole monitor. An innocent looking cable would suffice. Apple's own cables already contain microcontrollers.

    7. Re:uh - by design? by I4ko · · Score: 2

      Which is exactly what FireWire was vulnerable to like.. what.. 7 years ago. This is nothing novel.

    8. Re:uh - by design? by aitikin · · Score: 3, Informative

      The one mitigating factor is that literally no one uses Thunderbolt for anything, so it's not like anyone's likely to be coming across random compromised Thunderbolt devices. Discovering a Thunderbolt device at all would be out of the ordinary.

      You're obviously not in the pro audio world.

      --
      "Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
    9. Re:uh - by design? by fuzzyfuzzyfungus · · Score: 2

      It has to be unsafe by design. How else can Thunderbolt be even more insanely great than Firewire's "Hey, sure, here's DMA access to the bottom 4GB of my memory space! Don't do anything naughty or nothing, ok?" security model?

    10. Re:uh - by design? by amorsen · · Score: 2

      USB 3.0 has this exact same feature (DMA), so yes, yes you should expect a USB thumb drive to be able to do this.

      Ethernet controllers work by DMA, yet they do not offer random access to anyone who plugs anything into the bus. There is no inherent reason why DMA means full access.

      Thunderbolt and Firewire are different, in that they are "controllerless". They are simply PCI bridges.

      --
      Finally! A year of moderation! Ready for 2019?
    11. Re:uh - by design? by AmiMoJo · · Score: 3, Insightful

      USB 3.0's DMA is not the same as Thunderbolt's. With USB the host controller configures itself with limited DMA access to a RAM buffer, and then the USB device can only access that buffer by setting up transfers within the USB spec. In fact it can't even specify the address within the buffer or anything like that, the controller handles it all. It's closer to a NIC that supports DMA - it doesn't mean that any device on your network has full access to your computer's RAM.

      Thunderbolt is rather different, because the devices are basically PCI-E cards with a Thunderbolt transceiver bolted on. As such they can do anything that a PCI-E card can do, including accessing all RAM. PC Card devices have the same issue, and so does Firewire. It's a serious issue and tools that exploit it have been available for a while, both open source and commercial. For example: http://www.breaknenter.org/pro...

      The BadUSB attack relies on either exploiting bugs in the USB driver or emulating something like a keyboard and typing commands into a terminal. It's bad, but not nearly as bad as having complete, unfettered access to RAM by design. For example, a locked computer or server that isn't logged in locally is unlikely to be affected by BadUSB because it can't know the login details, but with Thunderbolt you have total access.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    12. Re:uh - by design? by dgatwood · · Score: 2

      Thunderbolt is rather different, because the devices are basically PCI-E cards with a Thunderbolt transceiver bolted on. As such they can do anything that a PCI-E card can do, including accessing all RAM. PC Card devices have the same issue, and so does Firewire. It's a serious issue and tools that exploit it have been available for a while, both open source and commercial.

      Here's what I don't get. Back when the G5 came out, Apple used a custom piece of hardware called DART to create a boundary between the I/O address space used by PCI devices and the physical address space used by RAM. It required device drivers to explicitly configure mappings before a PCI device could scribble on RAM, and limited those devices to scribbling over the ranges specified by the OS. That hardware went away with the Intel transition, of course, but most of the newer 64-bit Intel hardware has a feature called VT-d that does essentially the same thing. AFAIK, the 64-bit OS X kernel uses that functionality by default if the hardware supports it, so all of those tools should be completely non-functional on recent Macs running Mountain Lion and later. And I think I remember reading somewhere that Thunderbolt controllers contain an address translation table as well.

      With that in mind, how is this Thunderbolt device somehow gaining the ability to tickle hardware that probably doesn't live on the PCI bus, on the opposite side of the Thunderbolt controller, at a location that wasn't explicitly configured for DMA by a device driver? Does it involve rebooting the machine and exploiting a driver bug in EFI?

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    13. Re:uh - by design? by fustakrakich · · Score: 2, Insightful

      EPROM! Otherwise the story makes no sense... If you can write to ROM (more than once), clearly it's not ROM.

      --
      “He’s not deformed, he’s just drunk!”
    14. Re:uh - by design? by AmiMoJo · · Score: 2

      VT-d is used for something else, basically allowing PCI-E devices to access RAM without needing to worry about a >32 bit address space. While it might be possible to prevent this attack with it, that isn't how it is currently used. If a fix can be implemented it might break a lot of drivers.

      The attack is so nasty because when you can overwrite random bits of memory you can modify executable code on the fly. Address randomization doesn't help, you can simply search the entire address space for some suitable entry point.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. Re:ROM by Fwipp · · Score: 4, Informative

    Well, you're pretty wrong: https://trmm.net/EFI

    This allows an attacker with physical access to the machine to write untrusted code to the SPI flash ROM on the motherboard and creates a new class of firmware bootkits for the MacBook systems.

    Our proof of concept bootkit also replaces Apple's public RSA key in the ROM and prevents software attempts to replace it that are not signed by the attacker's private key. Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the harddrive has no effect. A hardware in-system-programming device is the only way to restore the stock firmware.

  3. Re:ROM by Nerrd · · Score: 2

    SPI Flash - is an eeprom.

  4. Re:ROM by CajunArson · · Score: 2

    No, by definition he's right: It's tough to overwrite a READ ONLY MEMORY . Of course, the firmware in the Mac isn't actually stored in a true ROM but in an EEPROM or some other solid-state memory that can be overwritten. So the article is incorrect or misleading to call that chip a ROM.

    --
    AntiFA: An abbreviation for Anti First Amendment.
  5. Pretty cool vulnerability but.. by Severus+Snape · · Score: 3, Informative

    If I have physical access to your machine, I'm going to get you one way or another.

    1. Re:Pretty cool vulnerability but.. by QuietLagoon · · Score: 4, Interesting
      True. But where this attack is unique is that it installs itself in a boot-level device, not on the hard disk, and executed BEFORE the OS starts running. Even re-installing the OS or replacing the hard drive won't disinfect the system.

      .
      Then there's this gem:

      The bootkit can even replace Apple’s cryptographic key stored in the ROM with one generated by the attacker, preventing any future legitimate firmware updates from Apple, the researcher said in a blog post.

  6. Hasn't this been known? by maccodemonkey · · Score: 5, Insightful

    Firewire, USB 3.0, and Thunderbolt all have DMA, which means any device hooked to a host can pretty much do anything they want to the host, no matter what the host hardware or OS is. I didn't think this sort of thing was still news?

    1. Re:Hasn't this been known? by bored · · Score: 2

      I'm pretty sure in the case of USB 3 that DMA is a function of the host controller. A device by itself cannot inject into arbitrary memory. This thunderbolt "vulnerability" is the equivalent of the windows autorun on insertion function that was disabled years ago. Only this functions above the level of the current user (aka much worse).

    2. Re:Hasn't this been known? by maccodemonkey · · Score: 4, Interesting

      I'm pretty sure in the case of USB 3 that DMA is a function of the host controller. A device by itself cannot inject into arbitrary memory. This thunderbolt "vulnerability" is the equivalent of the windows autorun on insertion function that was disabled years ago. Only this functions above the level of the current user (aka much worse).

      I'm looking up DMA for USB3. Although there are some ways to secure DMA (like a white list of addresses/sizes that are safe to write to), all of the advertised functionality of USB3, such as the sustained data rates, would be very hard to achieve if you didn't have direct access to memory. That's why Firewire ruled for live streaming of data for so long: DMA made it's rates reliable, whereas USB's dependence on the controller and CPU for memory transfers made the throughput more flakey.

    3. Re:Hasn't this been known? by maccodemonkey · · Score: 4, Insightful

      Well, now I'm reading specs on USB 3.0 controllers. Ugh. There's a lot on mapping a bus address to a memory address for DMA, but nothing addressing the security implications of doing so, or what devices are allowed to do, just broad hints like the buffer has to exist in a DMA-able part of memory without saying if that's a security implication or a hardware implication.

      It would be nice to see a follow up article on if/how USB 3.0 protects against these things, because I'm not a kernel USB developer sort of guy, so while I know DMA is there, I'm not feeling like I'd be able to dissect these implementation specs.

    4. Re:Hasn't this been known? by AmiMoJo · · Score: 2

      USB 3.0 devices can't read or write arbitrary RAM like Thunderbolt devices can. The host controller (or rather the driver) has to allocate RAM buffers and then program its DMA controller to copy data in or out of it. In theory it might be vulnerable if there are flaws in the driver perhaps, but it would be reliant on specific drivers and host controllers. The vulnerability is designed in to Thunderbolt as a feature.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  7. Putting unprotected flash in computers was stupid by Anonymous Coward · · Score: 2, Insightful

    Almost as stupid as making PCI-E part of an external bus. The BIOS write protect jumper of old was the right idea.

  8. Re:In other news... by Fwipp · · Score: 3, Interesting

    But when all it requires is connecting an arbitrary malicious Thunderbolt device - a root-kit could be installed when you dock your computer, or connect to a monitor or ethernet/firewire adapter, or even a mouse.

    Yes, "mission-critical" security systems should already be physically isolated. But not everything is physically isolated (work laptops, for instance), and this class of attack makes it easier to covertly compromise devices, even while in plain view. Would all of your coworkers object to someone plugging in a mouse on their laptop?

  9. Re:ROM by Anonymous Coward · · Score: 4, Interesting

    This is one area where good hardware design can fix the problem. Those SPI EEPROMs have a Write-Protect pin, which should be set disabled unless a physical switch is enabled (jumper anyone?).

    Yes, it requires opening your computer to update firmware, but firmware updates are a dangerous operation anyway and should not be permitted willy-nilly.

  10. Re:ROM by orgelspieler · · Score: 2

    Best response I've seen all day. But good luck convincing Apple that anybody but a "Genius" should be cracking open an apple device. Aren't they still using those patented fuck-you^W pentalobe screws?

  11. So if you get hit by this attack, have you been... by exabrial · · Score: 3, Funny

    So if you get hit by this attack, have you been... Thunderstruck?? /me shows self to door

  12. Re:In other news... by danceswithtrees · · Score: 2

    ... isn't, but I hear his agent is.

    Tell your friend Veronica
    It's time to celebrate Chanukah.

  13. Attacker does *not* need physical access ... by perpenso · · Score: 5, Insightful

    An attacker with physical access to the target is usually a bad thing (tm),

    The attacker does not need physical access. All the attacker needs to do is sell hacked thunderbolt cables on ebay or alibaba.

  14. Re:In other news... by fuzzyfuzzyfungus · · Score: 3, Interesting

    Plus, thunderbolt daisy-chains, so (if you are handy with rework tools or Intel ever gets the stick out of their ass about selling the chips) the malicious device could either be a (subverted) normal looking peripheral or a surprisingly small lump lurking within a thunderbolt cable or somewhere within the chain.

    The proof of concept is probably a big hairy bundle of prototype that would get you arrested if you brought it to an airport; but a slightly more polished variant could be squirreled away in quite a few places. The volume and power required to implement an entire single-purpose attacker device is already fairly small, getting into "eh, probably just one of those EMI ferrite things" territory, and not going to get any larger; plus the options available in either embedding the attacker device in the case of a legitimate device or modifying a legitimate device's firmware.

    The truly paranoid user might not be vulnerable; but few users are paranoid enough to qualify.

  15. Re:In other news... by fuzzyfuzzyfungus · · Score: 4, Insightful

    I'm frankly surprised to hear that Apple still manufactures a device that will boot after you tinker with its boot ROM. The notion that a device that is, for most purposes, right on the PCIe bus can scribble all over the place isn't exactly a shock; but it doesn't seem much like Apple to build hardware that would still boot if the cryptographic signatures didn't check out.

  16. Re:In other news... by spire3661 · · Score: 2

    Chernobyl virus victim checking in. $450 in hardware to fix that one.....

    --
    Good-bye
  17. Re:ROM by Barny · · Score: 2

    Pfft, of course they are better screws. They are both more expensive and annoying to operate, just like other Apple Iproducts.

    iScrew

    Only meant to be used by the special Apple certified screwdriver, the iScrewyou.

    --
    ...
    /me sighs
  18. Apple used to have security for firmware updates by ZorinLynx · · Score: 2

    With older (PPC?) based Macs, to update the firmware you had to power off the machine, then turn it on by holding the power button until you got an extra beep or sound. This would physically un-write-protect the firmware EPROM so that it could be updated by open firmware.

    In their quest to make everything as "user friendly" as possible, they took out this hardware security feature, allowing the update to just happen without any physical action.

    Bad Apple, no donut.

  19. Re:In other news... by sumdumass · · Score: 4, Interesting

    While this is true, the attacker does not need physical access for this. All they need is access to an innocent user who can be convinced to plug something in.

    The FBI and secret service demonstrated this type of attack back in the early 2000s. They dropped usb drives near banks night drop boxes and front doors that pinged a server with the local ip and machine name and wrote a file locally when plugged in with the autorun on. Something like 70% or so pinged. People where plugging them in to try to figure out who's they were to return them.

    Its pretty easy to convince someone to plug something in.

  20. Re:In other news... by Dog-Cow · · Score: 2

    No one uses thunderbolt for mice.