Slashdot Mirror
Researchers Create Mac "Firmworm" That Spreads Via Thunderbolt Ethernet Adapters
BIOS4breakfast writes: Wired reports that later this week at BlackHat and Defcon, Trammell Hudson will show the Thunderstrike 2 update to his Thunderstrike attack on Mac firmware (previously covered on Slashdot). Trammell teamed up with Xeno Kovah and Corey Kallenberg from LegbaCore, who have previously shown numerous exploits for PC firmware. They found multiple vulnerabilities that were already publicly disclosed were still present in Mac firmware. This allows a remote attacker to break into the Mac over the network, and infect its firmware. The infected firmware can then infect Apple Thunderbolt to Ethernet adapters' PCI Option ROM. And then those adapters can infect the firmware of any Mac they are plugged into — hence creating the self-propagating Thunderstrike 2 "firmworm." Unlike worms like Stuxnet, it never exists on the filesystem, it only ever lives in firmware (which no one ever checks.) A video showing the proof of concept attack is posted on YouTube.
They will make a chip that can only be written to one time. They can call it, "read only". What a concept!
“He’s not deformed, he’s just drunk!”
Do that to windows 10 .... if you can
.. makes a good punchline
P.S. I know that this is a firmware exploit but just for marketing sakes
This is why I use a Mac - we are immune to these things that plague PC users. I'd much rather pay a little bit more for security and simplicity than take the "you're-on-your-own" approach we get on other OS's.
Wait, what? Oh.
Yeah, ok...if you want to be a malware writer that works publicly and attends sleek conferences, just call yourself a "security researcher". Thanks for creating these attack toolkits so that script kiddies can conveniently destroy my computer.
Profoundly exceptional lack of talent . You, are very very rare sir. /sniff .
This is why externally hot pluggable devices that have an firmware option ROM and/or can DMA anywhere in RAM are a bad idea.
I feel pretty sick about this. I don't even use Macs. But, the low level depth of several recent exploits are making it near impossible to detect/defend against them.
APTs that downloads every time you boot, without touching the file system are a real issue that is hard to detect and resolve. Most people/companies can't run stand alone IDS/IPS, let alone understand and react to them.
As a mac user its not uncommon to see bugs and exploits in the wild like this. So far I havent seen evidence of it being used, and I keep my mac pretty up to date. Other than checking the apps store for updates, its a good practice to tO BUttER YoUR CAT anD FArT THE AlphHABET.
Good people go to bed earlier.
>> "Firmworm"
You did NOT just introduce that to the Internet.
>> Rule 34
Oh yeah...I guess it's the reason we have Internet in the first place.
he might be, but i bet you are singing this song all day
GET OUT OF MY HEAD!
FTFA:
An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious web site.
So, in other words, the user has to be a complete moron in order for this attack to work. I know there are still a small percentage of people out there that still click on every email link they get, but I would hope that phishing is a dying art and not much would ever come of this. I know that most of the people I supported would not be this amazingly stupid, nor would many in the entire company. Again, this sort of email attack vector is drilled into the heads of office workers everywhere as something to NOT fall for. The firmware vulnerabilities still need to be addressed, though ongoing training and social engineering will mitigate the possible threat a great deal.
we wouldn't have corporations adding these backdoors. Of course since the Republicans hate technology, they refuse to do this to protect us. Refuse.
If you work in an IT capacity, I suggest you rethink architecting your security profile based on trusting users not to click on links sending them to websites hosting malicious exploit code.
You might have the smartest CS graduates working in your organization. Each one of them has a computer-inexperienced relative whose had their email compromised in one way or another. From those compromised email accounts, messages are sent to your coworkers that can contain solicitations to view content hosted on a remote website. The possibility of your teammates following those links is especially high. Once the exploit code has hit the desktop OS, it's inside your network. If you have vulnerable routers, the attackers can use the beachhead of the first compromised desktop machine to change the DNS settings on the network router. Now, every single user in the organization is vulnerable to being redirected from "www.google.com" to "www.exploitsite.com" while they still only see the friendly google search page in their browsers when they try to do a search.
Don't trust the end users. They're the weakest member of your corporate security.
$5 / month hosted VPS on linux = awesome!
This is not like the recent StageFright exploit for Android, where virtually every-single-device on the Platform is vulnerable (what was it, like 990 million?); but rather, is confined to the UNION of the sets:
1. The Macs that use a TB Ethernet adapter. That, my fine readers, is a REALLY small group. Most Macs still have built-in Ethernet connectors, and those that don't are usually connected through WiFi instead of a TB adapter.
2. Those who fall for some unknown social-engineering trap.
That's one small-ass percentage of the overall Mac-using population.
IOW, nasty as this could be, there really is nothing to see here.
https://threatpost.com/writing... I appreciate the obligatory, and perhaps it'll be mod'ed to funny. But there's some truth in the statement, but not for reasons people believe. Mac's are not really any more secure than any other OS. They do have better security models in the creation of their OS's than say Windows, but they aren't invulnerable. The biggest threat to Mac's is complacency. The article from threatpost above breaks this down very well. I'm actually happy to see the flatworm concept attacking the thunderbolt firmware because it shows that simple file heuristics on Mac's is insufficient to detecting adverse threats on the platform. Perhaps we'll start seeing better threat detection techniques for the OSX platform (or ANY threat detection on the iOS platform).
Select from tblFriends where interesting >= 4;
This should work on any thunderbolt device, not just ethernet adapters. DMA for external devices is stupid.
Yeah, because no one ever falls for social engineering, so it's totally not anything to worry about.
All current MacBook Pros (for the past few years actually) do not have built-in ethernet but would require either a Thunderbolt or USB adapter.
Also, what about Thunderbolt displays, especially in an office "hotel" situation where one shows up and grabs an empty spot to plug in? This is pretty common enough behavior.
Any competent Corporate IT already scrubs URL's from all email, it get's quarentined and a tech has to look at the email before the user can get it.
Comcast was doing that back in the early 2005's
Yea? Maybe that works for you and your Mom. But that shit don't scale in my world. Sure, we have virus scanners, IPS, script and URL defangers, just to name a few, but stuff still gets through and people still click that shit.
There is NO 100% effective solution at this time.
Not all users with TB Ethernet adapter will get themselves infected. So he is justified in saying it will only affect an even smaller set.
Wink wink, nudge nudge.
Get free satoshi (Bitcoin) and Dogecoins
2. Those who fall for some unknown social-engineering trap.
Well, that's every Mac user. You bought into the idea that you were buying a lifestyle, but actually you were just buying a PC made by slaves at Foxconn like every other PC.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
OMG there is this new virus targeting Macs, the only way to protect yourself is to use an Ethernet adapter. My buddy from Russia sells them on ebay for cheap too, after you check your mac, make sure you lend it to all your friends to check their mac cause we're all friends right?
I remember the day when ROM actually meant Read Only Memory.......and why Thunderbolt devices need to be re-writeable "flash" firmware instead of ROM is a mystery to me. I'm not aware of Apple issuing any firmware upgrades to these devices since their inception.
I'm running Windows 10 on a MacMini so this exploit could affect Windows 10.
(Actually, triple-boots OS X, Win 10, and Ubuntu Not Ten.)
Help! Help! I'm being repressed!
"Thunderbird 2 starts with a local root privilege exploit that can load a kernel module to give it access to raw memory." ref
'DYLD_PRINT_TO_FILE is a recently-disclosed privilege escalation vulnerability on OS X Yosemite'
This should work on any thunderbolt device, not just ethernet adapters. DMA for external devices is stupid.
WRONG!!!
Actually, any TB device with an "Option ROM" . Is that all of them? Somehow, I think not, or the Article would have been even more breathless.
In fact, according to TFA, it specifically mentioned External TB SSDs and the TB Ethernet Adapter. Both would be pretty rare in the Mac installed base.
Most Macs still have built-in Ethernet connectors...
2. Those who fall for some unknown social-engineering trap.
Well, that's every Mac user. You bought into the idea that you were buying a lifestyle, but actually you were just buying a PC made by slaves at Foxconn like every other PC.
Actually, I thought I was buying a PC. I don't know what your problem is.
Oh, and nice job of artificially-increasing the attack surface, by ignoring one of the criteria "Must have a TB Ethernet Adapter" (or at least a TB Device with an "Option ROM").
Typical Slashtard. Hate, hate, hate. It's all some people know how to do.
Most Macs still have built-in Ethernet connectors...
Nice use of the "li" tag. I'll have to remember that.
But, without telling me which version of the Airs, I can't tell you whether they have TB ports. The first-generation Airs only had USB. And I don't know if the new "MacBook" (non-"Pro") qualifies as "vulnerable" either; since (I think) it actually does "TB-Over-USB-C".
And, as I said, MOST of time, Macs without intrinsic Terrestrial Ethernet ports simply use WiFi; and so most of those people don't even know that there is a TB-Ethernet adapter.
And do you really want to see the list of Macs still being sold and/or still in common use that do have a Terrestrial Ethernet port? I assure you, it is a LOT more models than your measly little list.
So, actually, you proved my point, not yours. Thanks!!!
And do you really want to see the list of Macs still being sold and/or still in common use that do have a Terrestrial Ethernet port? I assure you, it is a LOT more models than your measly little list.
Incorrect
Around 2/3 of all Macs sold are the laptops listed above.
Otherwise known as, "the majority of Macs sold."
So we now have an exploit over Thunderbolt, but I still cannot PXE boot the bloody things from a Linux server. Maybe I could, but I still haven't found how, if not using an OS X server. Progress is not going where I would like...
Would someone please publish a hack that lets us easily network boot Macs from Linux servers.
"Thunderbird 2 starts with a local root privilege exploit that can load a kernel module to give it access to raw memory." ref
Thunderbird and Thunderbolt are very different things.
I have dealt with these wankers on several occasions. They barely have any idea what they're doing, most of the Apple firmware is based on reference stuff from Intel and Insyde, and the code that isn't is horribly, horribly written. The only group with less of a clue then the EFI guys are the SMC folks (the guys who write the H8S firmware for the "Systems Management Controller"). If you ever find a bug in SMC, they'll go to great lengths to describe why the bug is actually intended behaviour and never actually do anything about it. You would not believe how many systems have been shipped with bugs in either firmware that will NEVER be fixed, because Apple won't support anything that isn't completely modern, and in some cases we're not even sure if they can upgrade the firmware if they want to (for example, the former generation of Mac Pros had a split SMC configuration, one on the CPU board, the other on the backplane, and you can only talk to the one on the CPU board through the backplane SMC, but when we dismantled the firmware from that chip we found zero evidence of any update procedures nor the ability to flash the one on the CPU board in any way).
So these sorts of shenanigans are to be totally expected from Apple. I doubt they'll ever do anything about this issue, and if they do it's going to be one hell of a hack rather then fixing the problem properly. And you can be assured that whatever they do release, won't apply to anything past one generation old, even though there will inevitably be millions of other machines out there affected by the same issues.
Some days I wonder why they have as much money in the bank as they do... then I remember that I pick apart Apple products for a living, and the shit I see is precisely why they have so much money in the bank.
And do you really want to see the list of Macs still being sold and/or still in common use that do have a Terrestrial Ethernet port? I assure you, it is a LOT more models than your measly little list.
Incorrect
Around 2/3 of all Macs sold are the laptops listed above.
Otherwise known as, "the majority of Macs sold."
Nice job of ignoring the part of the sentence that doesn't support your argument.
Note that I said "...and/or still in common use". So, in about 5 years or so, a good majority of Macs "still in common use" will not have Terrestrial Ethernet built-in; but for now, that still isn't the case. So, I stand by my original statement. And as I said, I would probably be safe in saying that the majority of Macs without built-in Terrestrial Ethernet are using WiFi instead; which isn't affected by this exploit.
And "now" is what matters to this vulnerability; because Apple will be sure to update their products to plug this vulnerability. In fact, according to TFA, the hacker team supposedly uncovered five vulnerabilities, and Apple has already patched three of them.
All current MacBook Pros (for the past few years actually) do not have built-in ethernet but would require either a Thunderbolt or USB adapter.
Also, what about Thunderbolt displays, especially in an office "hotel" situation where one shows up and grabs an empty spot to plug in? This is pretty common enough behavior.
NO Hotel is going to have a Thunderbolt Display. Not even one next door to Moscone Center.
So, no. Not gonna happen.
And besides, it is only certain TB devices (those with an "Option ROM") that are affected; in fact, the only two mentioned in TFA were the TB-Ethernet adaptor and certain External TB SSDs (which are REALLY rare, and wouldn't likely be passed-around anyway).