Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Create Mac "Firmworm" That Spreads Via Thunderbolt Ethernet Adapters

Posted by Soulskill on from the publicity-fixes-bugs dept.

BIOS4breakfast writes: Wired reports that later this week at BlackHat and Defcon, Trammell Hudson will show the Thunderstrike 2 update to his Thunderstrike attack on Mac firmware (previously covered on Slashdot). Trammell teamed up with Xeno Kovah and Corey Kallenberg from LegbaCore, who have previously shown numerous exploits for PC firmware. They found multiple vulnerabilities that were already publicly disclosed were still present in Mac firmware. This allows a remote attacker to break into the Mac over the network, and infect its firmware. The infected firmware can then infect Apple Thunderbolt to Ethernet adapters' PCI Option ROM. And then those adapters can infect the firmware of any Mac they are plugged into — hence creating the self-propagating Thunderstrike 2 "firmworm." Unlike worms like Stuxnet, it never exists on the filesystem, it only ever lives in firmware (which no one ever checks.) A video showing the proof of concept attack is posted on YouTube.

6 of 119 comments (clear)

  1. Re:Maybe someday by grim4593 · · Score: 3, Insightful

    If the chips are read only they would not be able to receive security updates (not that manufacturers issue ROM updates most of the time...). It would be a mess the first time a firmware security hole was found that couldn't be patched.

  2. Re:Maybe someday by fustakrakich · · Score: 5, Informative

    I vaguely remember the day when chips were socketed, exactly for that inevitability. Updates are more expensive that way, but it all depends on how secure you want to be. Remote updates will never, ever be secure. It is nothing but a perpetual cat and mouse game.

    --
    “He’s not deformed, he’s just drunk!”
  3. Re:Maybe someday by simcop2387 · · Score: 5, Insightful

    I like the flash chip with a hardware switch/jumper to enable writing to it. You've got the hardware read only protection but you can update it without replacing anything socketed.

  4. "Firmworm" by xxxJonBoyxxx · · Score: 4, Insightful

    >> "Firmworm"

    You did NOT just introduce that to the Internet.

    >> Rule 34

    Oh yeah...I guess it's the reason we have Internet in the first place.

  5. Re:In other words... by Sponge+Bath · · Score: 4, Insightful

    So, in other words, the user has to be a complete moron in order for this attack to work.

    Human stupidity is the hacker's greatest tool. The entire staff does not have to be stupid, just a few to get things rolling.

  6. Re:Maybe someday by LordKronos · · Score: 4, Informative

    I like the flash chip with a hardware switch/jumper to enable writing to it. You've got the hardware read only protection but you can update it without replacing anything socketed.

    Correct...except I think it needs to be clarified that the jumper or switch is actually a physical cutoff that would prevent flashing. You need to make this distinction, because I'm pretty sure I've seen hardware jumpers that just toggle a bit in the bios/firmware config, thus telling the bios whether or not to allow it, and if the bios/firmware is hacked, the physical jumper is not actually a physical obstacle.