Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thunderbolt Rootkit Vector

Posted by Soulskill on from the like-USB-but-better dept.

New submitter Holi sends this news from PC World: Attackers can infect MacBook computers with highly persistent boot rootkits by connecting malicious devices to them over the Thunderbolt interface. The attack, dubbed Thunderstrike, installs malicious code in a MacBook's boot ROM (read-only memory), which is stored in a chip on the motherboard. It was devised by a security researcher named Trammell Hudson based on a two-year old vulnerability and will be demonstrated next week at the 31st Chaos Communication Congress in Hamburg.

13 of 163 comments (clear)

  1. uh - by design? by Nerrd · · Score: 4, Insightful

    It shouldn't surprise anybody that a malicious PCI-E card can access a system.

    1. Re:uh - by design? by darkain · · Score: 4, Insightful

      DisplayPort monitor pre-infected with malware?

    2. Re:uh - by design? by jeffb+(2.718) · · Score: 4, Insightful

      Thunderbolt is more like USB to the user - it's a thing you use to connect untrusted devices to your system.

      Thunderbolt is more like PCIe to the system -- it's a thing you use to connect trusted devices to your system. In fact, it is PCIe, along with DisplayPort.

      The one mitigating factor is that, while there are Thunderbolt devices out there, users are less likely to find one lying in the company parking lot and decide "durr, let me plug this into my work computer and see what's on it". That seems to be a pretty effective delivery method for hostile USB devices.

    3. Re:uh - by design? by Holi · · Score: 5, Informative

      It can. See BadUSB.

      --
      Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
  2. Re:ROM by Fwipp · · Score: 4, Informative

    Well, you're pretty wrong: https://trmm.net/EFI

    This allows an attacker with physical access to the machine to write untrusted code to the SPI flash ROM on the motherboard and creates a new class of firmware bootkits for the MacBook systems.

    Our proof of concept bootkit also replaces Apple's public RSA key in the ROM and prevents software attempts to replace it that are not signed by the attacker's private key. Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the harddrive has no effect. A hardware in-system-programming device is the only way to restore the stock firmware.

  3. Hasn't this been known? by maccodemonkey · · Score: 5, Insightful

    Firewire, USB 3.0, and Thunderbolt all have DMA, which means any device hooked to a host can pretty much do anything they want to the host, no matter what the host hardware or OS is. I didn't think this sort of thing was still news?

    1. Re:Hasn't this been known? by maccodemonkey · · Score: 4, Interesting

      I'm pretty sure in the case of USB 3 that DMA is a function of the host controller. A device by itself cannot inject into arbitrary memory. This thunderbolt "vulnerability" is the equivalent of the windows autorun on insertion function that was disabled years ago. Only this functions above the level of the current user (aka much worse).

      I'm looking up DMA for USB3. Although there are some ways to secure DMA (like a white list of addresses/sizes that are safe to write to), all of the advertised functionality of USB3, such as the sustained data rates, would be very hard to achieve if you didn't have direct access to memory. That's why Firewire ruled for live streaming of data for so long: DMA made it's rates reliable, whereas USB's dependence on the controller and CPU for memory transfers made the throughput more flakey.

    2. Re:Hasn't this been known? by maccodemonkey · · Score: 4, Insightful

      Well, now I'm reading specs on USB 3.0 controllers. Ugh. There's a lot on mapping a bus address to a memory address for DMA, but nothing addressing the security implications of doing so, or what devices are allowed to do, just broad hints like the buffer has to exist in a DMA-able part of memory without saying if that's a security implication or a hardware implication.

      It would be nice to see a follow up article on if/how USB 3.0 protects against these things, because I'm not a kernel USB developer sort of guy, so while I know DMA is there, I'm not feeling like I'd be able to dissect these implementation specs.

  4. Re:ROM by Anonymous Coward · · Score: 4, Interesting

    This is one area where good hardware design can fix the problem. Those SPI EEPROMs have a Write-Protect pin, which should be set disabled unless a physical switch is enabled (jumper anyone?).

    Yes, it requires opening your computer to update firmware, but firmware updates are a dangerous operation anyway and should not be permitted willy-nilly.

  5. Re:Pretty cool vulnerability but.. by QuietLagoon · · Score: 4, Interesting
    True. But where this attack is unique is that it installs itself in a boot-level device, not on the hard disk, and executed BEFORE the OS starts running. Even re-installing the OS or replacing the hard drive won't disinfect the system.

    .
    Then there's this gem:

    The bootkit can even replace Apple’s cryptographic key stored in the ROM with one generated by the attacker, preventing any future legitimate firmware updates from Apple, the researcher said in a blog post.

  6. Attacker does *not* need physical access ... by perpenso · · Score: 5, Insightful

    An attacker with physical access to the target is usually a bad thing (tm),

    The attacker does not need physical access. All the attacker needs to do is sell hacked thunderbolt cables on ebay or alibaba.

  7. Re:In other news... by fuzzyfuzzyfungus · · Score: 4, Insightful

    I'm frankly surprised to hear that Apple still manufactures a device that will boot after you tinker with its boot ROM. The notion that a device that is, for most purposes, right on the PCIe bus can scribble all over the place isn't exactly a shock; but it doesn't seem much like Apple to build hardware that would still boot if the cryptographic signatures didn't check out.

  8. Re:In other news... by sumdumass · · Score: 4, Interesting

    While this is true, the attacker does not need physical access for this. All they need is access to an innocent user who can be convinced to plug something in.

    The FBI and secret service demonstrated this type of attack back in the early 2000s. They dropped usb drives near banks night drop boxes and front doors that pinged a server with the local ip and machine name and wrote a file locally when plugged in with the autorun on. Something like 70% or so pinged. People where plugging them in to try to figure out who's they were to return them.

    Its pretty easy to convince someone to plug something in.