Slashdot Mirror

← Back to Stories (view on slashdot.org)

First OSX Bootkit Revealed

Posted by samzenpus on from the protect-ya-neck dept.

Trailrunner7 writes A vulnerability at the heart of Apple's Mac OS X systems—one thus far only partially addressed by Apple—opens the door to the installation of malicious firmware bootkits that resist cleanup and give hackers persistent, stealthy control over a compromised Mac. The research is the work of a reverse engineering hobbyist and security researcher named Trammel Hudson, who gave a talk at the recent 31C3 event in Hamburg, Germany, during which he described an attack he called Thunderstrike. Thunderstrike is a Mac OS X bootkit delivered either through direct access to the Apple hardware (at the manufacturer or in transport), or via a Thunderbolt-connected peripheral device; the latter attack vector exposes vulnerable systems to Evil Maid attacks, or state-sponsored attacks where laptops are confiscated and examined in airports or border crossings, for example.

Hudson's bootkit takes advantage of a vulnerability in how Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update. In these cases, the flash is left unlocked, allowing an Option ROM, or peripheral firmware, to run during recovery mode boots. It then has to slip past Apple's RSA signature check. Apple stores its public key in the boot ROM and signs firmware updates with its private key. The Option ROM over Thunderbolt circumvents this process and writes its own RSA key so that future updates can only be signed by the attacker's key. The attack also disables the loading of further Option ROMs, closing that window of opportunity.

9 of 135 comments (clear)

  1. Thunderbolt seems inherently insecure by mattventura · · Score: 4, Insightful

    From what I understand, thunderbolt is essentially an external PCIe interface. That's inherently insecure. It was bad enough that Firewire gave devices DMA access, but with PCIe it will probably be 10x worse.

    1. Re:Thunderbolt seems inherently insecure by Anonymous Coward · · Score: 2, Insightful

      And how is that any different from the PCMCIA / CardBus slots of the past? They were basically direct attachments to the peripheral bus too, but I guess back then nobody cared about these kinds of attacks, and it wasn't predominantly Apple using those expansions.

  2. Re:If the rootkit can close the hole by c · · Score: 5, Insightful

    Then so can Apple.

    More usefully, it sounds like the owner of the machine itself can patch it such that any Option ROMs need to be signed with their own private key rather than Apple's.

    --
    Log in or piss off.
  3. Re: Apple=Best? by Anonymous Coward · · Score: 2, Insightful

    Are you going to go all "no mainstream Scotsman" on us now?

  4. Re:Turn on FileVault by DaHat · · Score: 3, Insightful

    You now know about this issue and can do it to your Macs... and that of your family & friends... but what about all of those people who do not have a person like you? How do they get the fix?

    Short of a mandatory update that is pushed down even on devices that opt out of automatic updates... how do you propose to push such a change?

    So yes... too late. If the device leaves the factory in an insecure state, a significant number of units are basically guarenteed to remain that way until they are decommissioned years from now.

    --
    Help Brendan pay off his student loans
  5. Not news by fyngyrz · · Score: 4, Insightful

    Physical access to your machine (and/or you) can result in any number of compromises. This has been true since day one; it'll remain true well into the indefinite future (in fact, I see nothing at all coming down the pike that would ameliorate this in any way. I'm just allowing for the possibility.)

    --
    I've fallen off your lawn, and I can't get up.
  6. More than that by SuperKendall · · Score: 2, Insightful

    It doesn't require someone having physical access to a system, it requires the user to connect a compromised Thunderbolt accessory

    A compromised Thunderbolt accessory connected WHILE they are also booting during a firmware update.

    Hope you got a lot of patience because I've not done that in years...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  7. Re: My kid does magic tricks... by Sez+Zero · · Score: 3, Insightful

    We have several new Mac laptops at work. They don't have an Ethernet port, so all of them are connected via Thunderbolt to Ethernet adapters. All the time. It seems like Ethernet or DVI adapters would be a great vector for this attack.

  8. Re:If the rootkit can close the hole by phayes · · Score: 3, Insightful

    If you would take the time to actually read TFA (yeah I know, heresy), you'd know that Apple has already addressed the vulnerability in recent minis & iMacs so the window is already closing.

    Added to that, you need the exploit (which is closely held at present) & physical access to the Mac. This rootkit is extremely unlikely to be a problem for anyone.

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue