Slashdot Mirror
First OSX Bootkit Revealed
Trailrunner7 writes A vulnerability at the heart of Apple's Mac OS X systems—one thus far only partially addressed by Apple—opens the door to the installation of malicious firmware bootkits that resist cleanup and give hackers persistent, stealthy control over a compromised Mac. The research is the work of a reverse engineering hobbyist and security researcher named Trammel Hudson, who gave a talk at the recent 31C3 event in Hamburg, Germany, during which he described an attack he called Thunderstrike. Thunderstrike is a Mac OS X bootkit delivered either through direct access to the Apple hardware (at the manufacturer or in transport), or via a Thunderbolt-connected peripheral device; the latter attack vector exposes vulnerable systems to Evil Maid attacks, or state-sponsored attacks where laptops are confiscated and examined in airports or border crossings, for example.
Hudson's bootkit takes advantage of a vulnerability in how Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update. In these cases, the flash is left unlocked, allowing an Option ROM, or peripheral firmware, to run during recovery mode boots. It then has to slip past Apple's RSA signature check. Apple stores its public key in the boot ROM and signs firmware updates with its private key. The Option ROM over Thunderbolt circumvents this process and writes its own RSA key so that future updates can only be signed by the attacker's key. The attack also disables the loading of further Option ROMs, closing that window of opportunity.
Hudson's bootkit takes advantage of a vulnerability in how Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update. In these cases, the flash is left unlocked, allowing an Option ROM, or peripheral firmware, to run during recovery mode boots. It then has to slip past Apple's RSA signature check. Apple stores its public key in the boot ROM and signs firmware updates with its private key. The Option ROM over Thunderbolt circumvents this process and writes its own RSA key so that future updates can only be signed by the attacker's key. The attack also disables the loading of further Option ROMs, closing that window of opportunity.
Then so can Apple.
From their reaction pushing out an automatically installed security patch for the recent NTP vulnerability, I'm hoping that Apple will furnish a patch before this ever becomes more than a Blackhat proof of concept.
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
From what I understand, thunderbolt is essentially an external PCIe interface. That's inherently insecure. It was bad enough that Firewire gave devices DMA access, but with PCIe it will probably be 10x worse.
I'm not seeing this as a huge worry, since it has to have someone with physical access to the machine. That it can be done at the factory or in transport doesn't really mean much since that's basically true of all consumer laptops. I guess it's big news because this time we have a for reals security issue on macs guys, no really!
this research is seriously impressive. all the more so because: (1) he published how he did it so people can learn from it, and (2) the guy works for a hedge fund. he's not even a tech person!
I'm really curious what this hedge fund does that they need to do this kind of hardcore security research.
FileVault 2 disables DMA over FireWire/Thunderbolt when no user is logged in or the machine is locked.
If you want an extra layer of security, execute this command:
sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25
...and your Mac will erase its decryption key from RAM every time it goes to sleep.
How can I believe you when you tell me what I don't want to hear?
I'm so sick to the teeth of 'hackers' and their non stop vanity quests. Such transient skills! all that effort expended on things that by their very nature are destined to be patched. It's like memorizing an issue of a newspaper so you can come across as well informed for a week.
Programming/debugging are their true skills and any programmer worth their salt can 'hack'. pouet.net - the low level demo scene - that's the home of the impressive. A real-time ray-tracer in less than 32kb should be news, not some idiot with a copy of IDA on a power trip.
This should be a no-brainer. Except for special-case customers who specifically do NOT want the ability to do a factory reset, all hardware should come with a factory reset procedure that any end user can do.
What would this entail?
* An immutable "firmware-loading firmware" that does nothing but check for a "factory reset" signal. If the signal is absent, load the "real firmware" from its usual location and execute it. If it is present, wipe all non-immutable storage (or wipe their decryption keys) and load (and possibly authenticate) an immutable "factory reset backup firmware copy" from a pre-defined immutable location and store it to the location where the "real firmware" is stored, then proceed to as if the "factory reset" signal was absent and load the just-replaced "real firmware" and execute it.
* Consumer-friendly instructions on how to set the "factory reset" signal. For example:
-- "Remove the screws covering the back of your phone, look for the orange dot in the lower-left corner, hold down the switch while simultaneously holding down the phone's power button, then release. Within 10 seconds you will hear 5 evenly-spaced beeps. If you do not hear 5 evenly-spaced beeps, repeat the previous step. Once you hear 5 beeps wait 5 seconds. The phone will power off. Reassemble the phone."
For leased devices, this might also entail breaking a tamper-evident seal, the breaking of which by the consumer might violate the lease contract.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Are you going to go all "no mainstream Scotsman" on us now?
As noted it's as simple as enabling it.
Most users will not, but then most also do not need to worry about someone physically capturing the system and installing malware then returning it...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I know it's dangerous to base opinions on summaries, but the summary says "during recovery mode boots". So, at least it doesn't seem to be as bad as autorunning files on a usb stick, which used to be pretty common.
It is certainly a serious vulnerability, but considering the number of times I've done a recovery mode boot, I'm not overly concerned about it.
Rather someone have to have physical access to a system (then also have to put it into a firmware update mode!) to install a boot kit vs. being able to do it remote or just by plugging in a USB stick for a second.
That is "the best" currently, even if it can be better (and another poster noted you are immune if you enable FleVault).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Looks like it's better to call it limpware if it's so soft and easy to reprogram.
“He’s not deformed, he’s just drunk!”
Slashdot worked itself into a tizzy when UEFI Secure Boot was announced. Now when Apple ships a system without it we're headed back to the same panic. So which do you want? OEM-owned locks on your pre-boot environment, so they can protect you from attacks until and unless you get their permission to do something different, or the ability to run whatever you want without the OEM's consent?
If you'd like something other than those two options, propose another and explain how it would solve the problems noted in the article. I'm not suggesting no other solution exists, but it's not trivial, and I haven't seen anyone make any suggestions. They can't ship you the key in the box, or let you set you own, as that wouldn't address the pre-purchase attack. They can't give the code to you over the phone as there's no way to authenticate you as the legitimate owner of the machine, at least not unless you arranged something with them at time of purchase (which only works for first owner direct-from-OEM sales). They could give you a button to overwrite the firmware with a known-safe version (at least assuming no one soldered in a new ROM chip), but that's a recovery mechanism, not a protection against the original attack. They could make the firmware immutable but then neither you nor they can ever change it, which makes bugs permanent potentially including security vulnerabilities.
If we're just going to whine about both sides of this proposal -- should OEMs protect me from physical-access attacks or should I be allowed to control my own hardware -- there's no point in even talking about it.
Wasn't everything Apple supposed to be the best?
To be the best, you only have to make sure everyone else is worse than you.
“Common sense is not so common.” — Voltaire
Fsck all those people that are the reason we can't have (keep) any nice things.
Physical access to your machine (and/or you) can result in any number of compromises. This has been true since day one; it'll remain true well into the indefinite future (in fact, I see nothing at all coming down the pike that would ameliorate this in any way. I'm just allowing for the possibility.)
I've fallen off your lawn, and I can't get up.
It doesn't require someone having physical access to a system, it requires the user to connect a compromised Thunderbolt accessory
A compromised Thunderbolt accessory connected WHILE they are also booting during a firmware update.
Hope you got a lot of patience because I've not done that in years...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Are you going to go all "no mainstream Scotsman" on us now?
No *true* mainstream Scotsman anyway.
But we all know that Apple Macintosh isn't a true Scotsman's name....
I modified the boot.efi to allow my old mac pro 2,1 to run Mavericks. I'm glad I never upgraded. My old mac with 32gb of ram is plenty fast enough.. make -j 20... all I have to say is wow this baby can compile code fast. I also have an NVIDIA GTX 560 graphics card and a vintage GT120 for boot selection. I picked another mac pro 8 core 2,1 on ebay and built up a 32gb8 core Linux beast running linux on bare mac metal. Now that I see thunderbolt is full of security holes I bet the next generation if macs will be locked down. I will never purchased locked down hardware.
I don't know why this got so much attention. Since this hack needs physical access to the computer, you can say it doesn't concern most Apple owner.
BTW why use such a complicated hack thru a specially crafted peripheral and necessitating to reboot the computer into recovery mode while you could achieve the exact same goal on virtually any modern PC (that includes Macs) with a USB boot drive and a firmware updater.
People would still buy apple hardware(pretty sturdy) if OSX was also available for the pc. Although, I'm not a big fan of Yosemite it's too ugly and causes too much eye strain. I prefer the Tiger and Mavericks look. I don't understand why everybody is following MS footsteps when it comes to UI color scheme which includes Kde plasma 5, Yosemite, and Android lollipop. Yes, web pages(flat look) are easy on the eyes and looks very nice especially the fonts but MS, KDE, Apple, Google all failed to render the UI properly like a web page. It's just way off. It just look damn awful.
dey be hipsters next!
... that involve me turning around for up to 30 seconds. It's cute. The lesson here is, if you let your machine out of your sight for a while, don't be surprised if it comes back rooted. Isn't rule #1 of computer security always "If you don't have physical security, you don't have security"?
What exactly is the vector here? Give someone a thunderbolt hard drive and hope they plug it in and hope they run a firmware update while the drive is connected? Oh no, this could affect potentially dozens of people per decade! Outside of very targeted attacks, who will get hit by this? And if you think you are targeted, the solution is simple: don't have anything but the power cord plugged in when updating firmware. (Which is how you are supposed to do it anyway.)
This isn't exactly a drive-by download.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
...infecting macs through innocent chargers and other USB devices, mostly acquired from China.
http://www.engadget.com/2014/11/06/apple-malware/
Sent from my ENIAC
The firmware has always been a possible vector for infecting a computer with malware, and we know the NSA has done it for years. This OS X bootkit shows one method of getting the malware into the firmware. I'm sure on many PCs the NSA could just flash a new BIOS, probably with the full support and help of the firmware manufacturers.
It surprised me to learn that laptops from popular manufacturers like Lenovo ship with a piece of BIOS-based malware called Lojack. Used as a method of theft prevention, once activated it can infect a fresh install of Windows with tracking software. Was quite an eye opener to me.
Certainly in this post-Snowden era, I certainly trust my devices a lot less. Every little device is a computer these days with its own firmware. Who knows what runs there. A brave new world indeed. Looks like writing passwords down on paper is probably the most secure thing after all.
From the summary, you didn't even have to read the article:
Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update
Not sure what part of "during a firmware update" you are failing to grok. A simple reboot alone is not enough.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It surprised me to learn that laptops from popular manufacturers like Lenovo ship with a piece of BIOS-based malware called Lojack. Used as a method of theft prevention, once activated it can infect a fresh install of Windows with tracking software.
Even if it performs "sneaky stuff" I wouldn't call it malware as it is designed to help the real owner of the laptop in case of theft.
As they don't usually have Thunderbolt, or if they do they boot differently.
I apologize for the lack of a signature.
The purpose of a factory reset is not to give 100% protection. It is not to mitigate all of the damage caused by the attack. It is to provide a way to rescue the hardware once the threat has been identified and means of re-infection have been gotten rid of. In other words, it's to save the cost of buying replacement hardware for a box that would otherwise be deemed "never to be trusted again."
Here are two examples:
1) A rouge employee tampers with a USB/Firewire/Thunderbolt device and uses that to infect Macs (or PCs, or phones, or whatever). The employee is discovered and shown the door and all potentially-infectious devices which cannot be factory-reset have been destroyed or removed from use. Those which can be factory-reset are reset and updated from known-good sources.
2) I buy a used piece of equipment. I want to know with certainty that there is no malware on it. I do a factory-reset and update it from known-good sources.
Also, the concept of a factory-reset is not specific to recovering from against hardware/peripheral-based attacks. It also helps recover from software-based attacks (including remote attacks) that take advantage of bugs to replace the "main" firmware with their own. In this case, the recovery is a two-step process:
* Do a factory reset
* Update to a version of the "real" firmware that does not have any known exploits
It also has the limitation that it does not protect against exploits (including remote exploits) that will be discovered in the future.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
> It's called WireLurker, and it's already here...
I thought it was called 'systemd'?