Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Create Mac "Firmworm" That Spreads Via Thunderbolt Ethernet Adapters

Posted by Soulskill on from the publicity-fixes-bugs dept.

BIOS4breakfast writes: Wired reports that later this week at BlackHat and Defcon, Trammell Hudson will show the Thunderstrike 2 update to his Thunderstrike attack on Mac firmware (previously covered on Slashdot). Trammell teamed up with Xeno Kovah and Corey Kallenberg from LegbaCore, who have previously shown numerous exploits for PC firmware. They found multiple vulnerabilities that were already publicly disclosed were still present in Mac firmware. This allows a remote attacker to break into the Mac over the network, and infect its firmware. The infected firmware can then infect Apple Thunderbolt to Ethernet adapters' PCI Option ROM. And then those adapters can infect the firmware of any Mac they are plugged into — hence creating the self-propagating Thunderstrike 2 "firmworm." Unlike worms like Stuxnet, it never exists on the filesystem, it only ever lives in firmware (which no one ever checks.) A video showing the proof of concept attack is posted on YouTube.

7 of 119 comments (clear)

  1. Re:Maybe someday by grim4593 · · Score: 3, Insightful

    If the chips are read only they would not be able to receive security updates (not that manufacturers issue ROM updates most of the time...). It would be a mess the first time a firmware security hole was found that couldn't be patched.

  2. Re:Maybe someday by simcop2387 · · Score: 5, Insightful

    I like the flash chip with a hardware switch/jumper to enable writing to it. You've got the hardware read only protection but you can update it without replacing anything socketed.

  3. "Firmworm" by xxxJonBoyxxx · · Score: 4, Insightful

    >> "Firmworm"

    You did NOT just introduce that to the Internet.

    >> Rule 34

    Oh yeah...I guess it's the reason we have Internet in the first place.

  4. Re:In other words... by Sponge+Bath · · Score: 4, Insightful

    So, in other words, the user has to be a complete moron in order for this attack to work.

    Human stupidity is the hacker's greatest tool. The entire staff does not have to be stupid, just a few to get things rolling.

  5. Viruses and worms on a Mac by mitcheli · · Score: 1, Insightful

    https://threatpost.com/writing... I appreciate the obligatory, and perhaps it'll be mod'ed to funny. But there's some truth in the statement, but not for reasons people believe. Mac's are not really any more secure than any other OS. They do have better security models in the creation of their OS's than say Windows, but they aren't invulnerable. The biggest threat to Mac's is complacency. The article from threatpost above breaks this down very well. I'm actually happy to see the flatworm concept attacking the thunderbolt firmware because it shows that simple file heuristics on Mac's is insufficient to detecting adverse threats on the platform. Perhaps we'll start seeing better threat detection techniques for the OSX platform (or ANY threat detection on the iOS platform).

    --
    Select from tblFriends where interesting >= 4;
  6. Re:So, the actual attack surface is vanishingly sm by Anonymous Coward · · Score: 2, Insightful

    All current MacBook Pros (for the past few years actually) do not have built-in ethernet but would require either a Thunderbolt or USB adapter.

    Also, what about Thunderbolt displays, especially in an office "hotel" situation where one shows up and grabs an empty spot to plug in? This is pretty common enough behavior.

  7. Re:Obligatory by amicusNYCL · · Score: 1, Insightful

    Nobody said that macs are immune to viruses

    Plenty of fan boys have, actually (including you, 2 posts up). And Apple certainly tried to make that implication, with lines like "immune to PC viruses" in their sales pitches. While it's true that Macs don't execute Windows code (wow, really?), Apple still didn't have a problem with blurring that technical line in their advertisements aimed at non-technical people. The reason why there are so many results for "are Macs immune to viruses", and why it looks like the vast majority of results for "are PCs immune to viruses" are articles about Macs, is not because "nobody said that macs are immune to viruses."

    macs are not vulnerable to the types of malware that antivirus software could protect against

    So if antivirus software protects against viruses, and you're claiming that Macs are not vulnerable to that type of malware, then aren't you claiming that Macs are immune to viruses? Are you just using the same kind of doublespeak that Apple used in their marketing?

    Here's a question: if Macs are not vulnerable to viruses, then why are there antivirus programs for Macs? What exactly are those programs protecting against if not viruses? Do they "scan" the machine against an empty threat database and then say it's all clear?

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black