Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thunderstrike2 Details Revealed

Posted by Soulskill on from the part-2-the-revenge dept.

An anonymous reader writes: Prior to DefCon and BlackHat, we learned that Trammell Hudson had developed a firmware worm for Apple machines that could spread over Thunderbolt hardware accessories. Now that both conferences have finished, Hudson has published slides and an annotated transcript detailing how the worm works.

A brief quote: "Thunderstrike 2 takes advantage of four older, previously disclosed vulnerabilities. These had all been known and fixed on other platforms, but not on Apple's MacBooks. ... Speed Racer (Incorrect BIOS_CNTL configuration, 2014, VU#766164), Darth Venamis (S3 boot script injection, 2014, VU#976132) Snorlax (Flash configuration is not set after S3 sleep, 2013 VU#577140) and PrinceHarming (2015) Unsigned Option ROMs (2007, 2012). ... While we're looking at Apple specifically in this research, the overall message is that many vendors are not keeping up to date and are not responding to CERT, especially if it requires effort to port or test vulnerabilities from other vendor platforms."

65 comments

  1. These vulnerability names by Anonymous Coward · · Score: 0, Flamebait

    are fucking stupid.

    1. Re:These vulnerability names by nbvb · · Score: 0

      My thoughts exactly.

    2. Re:These vulnerability names by Anonymous Coward · · Score: 0

      That's funny. An attack that can strike over thunderbolt calling itself thunderstrike is stupid? I think most GNU and many other utilities have idiotic names. GRUB, YAST, lots of these things are plain stupid.

    3. Re:These vulnerability names by gstoddart · · Score: 1

      are fucking stupid./blockquote.
      I don't know, PrinceHarming sounded hilarious.

      In a world where many of us still know who is meant by "Captain Crunch", these names aren't really all that surprising.

      What do you expect, a marketing focus group to come up with a catchier name?

      --
      Lost at C:>. Found at C.
    4. Re: These vulnerability names by Anonymous Coward · · Score: 0

      A lot of them (GRUB, YAST, etc.) are acronyms. Are you equally upset about BIOS? PCI? DRAM?

    5. Re: These vulnerability names by U2xhc2hkb3QgU3Vja3M · · Score: 2

      Now you're just making up acronyms...

    6. Re: These vulnerability names by Anonymous Coward · · Score: 0

      NY'RJMUA

  2. You've been... by Anonymous Coward · · Score: 0

    THUNDERSTRUCK!

    1. Re:You've been... by viperidaenz · · Score: 1

      You've been.... put on home detention!

  3. Is this still a Remote Exploit? by macs4all · · Score: 1

    Apple has released at least 2 Patches to OS X 10.10 (Yosemite), one in January, 2015, and another in June, 2015, to address these issues.

    From what I have learned from the tubes, that leaves what admittedly amounts to a largely theoretical vulnerability, as far as "workable in the field" goes.

    But what I haven't been able to sort out through all the eighth-grader cutesy names, is is this still a REMOTE-ABLE vulnerability, or is it back to the "Evil Maid" scenario only?

    Also, I have heard that Macs built after June, 2014 are invulnerable (presumably due to some hardware design changes). Is that still true, or not?

    1. Re:Is this still a Remote Exploit? by Dunbal · · Score: 1

      I heard the Titanic was "unsinkable". Be careful with words like "invulnerable".

      --
      Seven puppies were harmed during the making of this post.
    2. Re:Is this still a Remote Exploit? by gstoddart · · Score: 2

      or is it back to the "Evil Maid" scenario only?

      Always assume the "evil maid" scenario could happen.

      If dropping infected USB sticks into a parking lot and seeing who picks them up and plugs them in works, the "evil maid" is a subset of all things in which you can trick people into plugging in your exploit. Social engineering is a remarkable way around security.

      It also says if you have a portable Thunderbolt device and ever use it anywhere from home, your own stuff could be the 'remote' vector.

      One person's theoretical vulnerability can often become a real exploit before long.

      --
      Lost at C:>. Found at C.
    3. Re:Is this still a Remote Exploit? by macs4all · · Score: 1

      I heard the Titanic was "unsinkable". Be careful with words like "invulnerable".

      Point taken; but, in my defense, I think that's what the original article I read said.

    4. Re:Is this still a Remote Exploit? by macs4all · · Score: 1

      If dropping infected USB sticks into a parking lot and seeing who picks them up and plugs them in works

      Yeah, I watch Mr. Robot, too...

      Social engineering is a remarkable way around security.

      I love the way most of the hacker movies depict a scenario like in Swordfish, where someone applies mad Developer (hacker) skills to navigate through arrays of 3D cubes representing (what, exactly?), and then breaks into the "Network" using those skill alone. That's why I always like the movie "Sneakers" (despite its depiction of 3D Operating Systems, too), because it depicted that Social Engineering was at the heart of most, if not all, "Cracking".

      But this still doesn't answer the question as to whether Apple has successfully thwarted the REMOTE aspect (e.g., visit a malicious website, get a bad email...), or not.

    5. Re:Is this still a Remote Exploit? by U2xhc2hkb3QgU3Vja3M · · Score: 1

      Always assume the "evil maid" scenario could happen.

      Colonel Sandurz: It's Mega Maid. She's gone from suck to blow.

    6. Re:Is this still a Remote Exploit? by Minupla · · Score: 1

      If dropping infected USB sticks into a parking lot and seeing who picks them up and plugs them in works

      | Yeah, I watch Mr. Robot, too...

      Um, Mr Robot took it from ancient (in internet terms anyways) history:

      Just one random story from 2011:

      http://thenextweb.com/insider/...

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
    7. Re:Is this still a Remote Exploit? by Anonymous Coward · · Score: 0

      Ha. I bet I've seen that movie a thousand times and never picked up on his name... but now I'm just thinking "Suck. Suck. Suck. Suck."

    8. Re:Is this still a Remote Exploit? by macs4all · · Score: 1

      Um, Mr Robot took it from ancient (in internet terms anyways) history:

      I just took the most recent reference that popped into my head; but at least whoever writes that show has SOME geek-knowledge. That's still (a lot!) better than most.

    9. Re:Is this still a Remote Exploit? by Minupla · · Score: 1

      Agreed, actually I respect the show for their research. I may have misinterpreted the tone of your comment, I read it as "this could only happen in a TV show", and was pointing out it has a long history of working in real life. Apologies if I misinterpreted.

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
    10. Re: Is this still a Remote Exploit? by guruevi · · Score: 1

      Yeah, these kinds of attacks require physical access (either directly or by proxy) to the computer at which point your security is moot. You might as well add-on one of those microcontrollers with a 3G and KVM module because you are using a freaking pci bus.

      It is cute to do this but when you have hardware access, all bets are off and you could write the EFI regardless. Signing firmware for EFI only makes alternative software and homebrew harder (eg SecureBoot tripe) but doesn't make it any harder to hack

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    11. Re:Is this still a Remote Exploit? by macs4all · · Score: 1

      Apologies if I misinterpreted.

      No problem. I am always too defensive when on /. anyway, LOL!

    12. Re: Is this still a Remote Exploit? by macs4all · · Score: 1

      It is cute to do this but when you have hardware access, all bets are off and you could write the EFI regardless. Signing firmware for EFI only makes alternative software and homebrew harder (eg SecureBoot tripe) but doesn't make it any harder to hack

      You're right. I wonder if that's why Apple didn't run straight toward that obvious solution?

    13. Re:Is this still a Remote Exploit? by Anubis+IV · · Score: 1

      It's not just a "theoretical vulnerability", since the researchers had a proof of concept that was working at Black Hat a few weeks ago. That said, the latest versions of OS X 10.10 and 10.11 both have patches in place that break the proof of concept, and as I recall, the bug that permitted this in the first place was introduced in 10.10, which means that all vulnerable systems already have a patch available to prevent infection.

      In terms of vectors for infection, it's two-fold:
      1) Navigating to a malicious site could infect the firmware of a Thunderbolt network adapter or storage device
      2) Plugging in an infected Thunderbolt network adapter or storage device could infect other Thunderbolt devices

      That said, OS X 10.10.4 patches vector #1 and breaks this particular proof of concept, meaning that even if someone else manages to exploit vector #2, the worm would be limited to traveling by hand as dongles move from computer to computer, so it's unlikely a typical person would ever encounter the worm. No doubt, that vector will be patched soon as well, given the amount of media pressure on Apple.

    14. Re:Is this still a Remote Exploit? by macs4all · · Score: 1

      It's not just a "theoretical vulnerability", since the researchers had a proof of concept that was working at Black Hat a few weeks ago. That said, the latest versions of OS X 10.10 and 10.11 both have patches in place that break the proof of concept, and as I recall, the bug that permitted this in the first place was introduced in 10.10, which means that all vulnerable systems already have a patch available to prevent infection.

      I didn't catch that this was introduced in 10.10 (Yosemite); so my Mavericks (10.9) and earlier systems are ok then?

      GREAT Update, Anubis!

      Mods: Mod Parent UP, UP, UP!!!

    15. Re:Is this still a Remote Exploit? by Anubis+IV · · Score: 1

      I didn't catch that this was introduced in 10.10 (Yosemite); so my Mavericks (10.9) and earlier systems are ok then?

      Assuming my recollection is correct and that I didn't mix up vulnerabilities? Yup, Mavericks is okay.

  4. So... how screwed am I? by mekkab · · Score: 1

    And what do I do to stay unscrewed? a serious question from a Macbooker.

    /I'm expecting much hate but some wisdom embedded in the barbs

    --
    In the future, I would want to not be isolated from my friends in the Space Station.
    1. Re:So... how screwed am I? by Anonymous Coward · · Score: 0

      demand apple actually patch those holes on your macbook? honestly outside of that, I have no idea how to harden a mac, or if it's even possible.

      I'd say.. only use your own trusted cable, and only on your own trusted devices. That's a step.

    2. Re:So... how screwed am I? by Anonymous Coward · · Score: 1

      Run for the hills, turn of all your electronics, eat the rich, stop trusting the government, definitely don't trust the corporations.

      Might not help with your computer security, but it's sound advice.

    3. Re:So... how screwed am I? by Morris+von+Habsburg · · Score: 3, Informative

      First of all, keep an eye on the updates. They should automatically install (or at least warn of their availability) by default. Apple can push out a separate EFI upgrade or it can be be a part of the next big update (10.10.5 for instance, which is imminent). I expect some or all of these to be fixed fairly quickly.

      In the mean time, make sure that you haven’t disabled Gatekeeper (which is on by default). While Gatekeeper can’t defend against infected peripherals you stick in your Thunderbolt port, it can protect against online attacks trying to infect your machine with the Thunderstrike payload. And the chances of being infected through the internet (malicious ads, drive-by downloads, trojans etc.) are far greater than through a peripheral as it can take months or years before an old-fashioned physical malware spread reaches your machines. That’s one of the downsides of the internet, it has made the spreading of malware incredibly fast.

    4. Re:So... how screwed am I? by Gaygirlie · · Score: 2

      Unless Apple somehow fixes this the only truly working method would be to desolder all Thunderbolt-connectors or fill them with glue or something.

    5. Re:So... how screwed am I? by AmiMoJo · · Score: 1

      Cut the PCB tracks and rewire them to the mains 240/120v input. Anyone who tries to rape your machine will get a nasty surprise and their expensive hardware turned to slag.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:So... how screwed am I? by macs4all · · Score: 2

      And what do I do to stay unscrewed? a serious question from a Macbooker. /I'm expecting much hate but some wisdom embedded in the barbs

      It looks like if you are either:

      1. An owner of a Mac MANUFACTURED after June, 2014; and/or,

      2. Running at least OS X 10.10.4

      You are safe from any REMOTE Thunderstrike(2) Attacks.

      HOWEVER, you STILL have to be vigilant against the "Evil Maid" (someone deliberately sticking an infected Thunderbolt Ethernet Adapter, or an infected Thunderbolt-connected SSD into your computer while you aren't present/looking), and DON'T borrow/lend either of those two classes of Thunderbolt devices to/from ANYONE.

      And you should, for all intents and purposes, be ok.

    7. Re:So... how screwed am I? by mlts · · Score: 2

      All it takes is one ad server where the owners don't care what code some client uploads, and it means massive, almost instantaneous infections. With IP limiting tools, it could be a targeted attack from a direction that is relatively unexpected.

      Next to the excellent suggestions of the parent, I would also recommend 1-2 additions:

      If possible, run your Web browsing as a non-admin user, and switch to the admin user when needed. This adds one additional layer.

      Of course, the best thing is to use some form of virtualization so that malware doesn't ever get to touch bare metal. Even though they have happened, exploits that allow malware to leak out of a VM tend to be rare. In fact, the norm should be to run as little on bare metal as possible, but in the real world, that isn't doable for more than web browsing.

    8. Re:So... how screwed am I? by viperidaenz · · Score: 1

      Never let any of those peripherals out of your sight either! Someone could infect them in just a few seconds of inattention.

    9. Re:So... how screwed am I? by macs4all · · Score: 1

      Never let any of those peripherals out of your sight either! Someone could infect them in just a few seconds of inattention.

      No.

      Someone could conceivably REPLACE them with already-infected ones, or use already-infected ones nefariously to infect you, in just a few seconds; BUT I'm pretty sure that no one could infect YOUR TB-Ethernet Adapter in "just a few seconds of inattention." A few MINUTES, sure; but not a few seconds.

      And remember, this still requires essentially physical access to the machine (or at least the peripheral). For now, it looks like, contingent on the conditions of my first post, above, the REMOTE threat is over.

      Someone want to correct me on that, with citations?

    10. Re:So... how screwed am I? by viperidaenz · · Score: 1

      Seconds, since all you need to to to infect a TB-Ethernet adapter is plug it in to something.

      Any thunderbolt device with an Option ROM can be infected in seconds.
      citation

    11. Re:So... how screwed am I? by Trogre · · Score: 1

      Would that be AC or DC?

      if you can still have a register that detects when such a device is plugged in, you could have the screen flash up with the message:

      "You've been..."

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    12. Re:So... how screwed am I? by macs4all · · Score: 1

      Seconds, since all you need to to to infect a TB-Ethernet adapter is plug it in to something.

      Any thunderbolt device with an Option ROM can be infected in seconds. citation

      So you're postulating that, while someone is present, another person can:

      1. Pull out their Ethernet dongle (which presumably has a network cable attached)

      2. Fumble-fuck around, trying to surreptitiously Stick the victim's dongle into a waiting infection-donor (which would likely have to be another laptop, probably a Mac)

      3. Wait (n) seconds for the dongle to enumerate and get the infection uploaded

      4. Pull it back out of the "donor" computer

      5. Fumble-fuck around trying to surreptiously plug it back into the victim's laptop (and possibly reconnecting the network cable)...

      ALL in a FEW SECONDS, and WITHOUT BEING CAUGHT!?!?!???

      Maybe The Flash (no pun) could do it; but for us non -superhumans...

    13. Re:So... how screwed am I? by viperidaenz · · Score: 1

      Yes

      Thanks for adding "Fumble-fuck around", You make it seem like the thunderbolt connector is hard to use. If the device was plugged in to a macbook already, it would be easier to infect the macbook directly.

      Also for your assumption in step two than you'd have to use a laptop. You could use anything you can build a thunderbolt interface on. Like any FPGA with PCI Express interfaces or anything you can connect to a Thunderbolt interface chip, like the Si52131.

    14. Re:So... how screwed am I? by macs4all · · Score: 1

      Yes

      Thanks for adding "Fumble-fuck around", You make it seem like the thunderbolt connector is hard to use. If the device was plugged in to a macbook already, it would be easier to infect the macbook directly.

      Also for your assumption in step two than you'd have to use a laptop. You could use anything you can build a thunderbolt interface on. Like any FPGA with PCI Express interfaces or anything you can connect to a Thunderbolt interface chip, like the Si52131.

      I have a MacBook Pro and routinely use the TB Connector to plug in a DVI monitor adapter. I guarantee you that, under the conditions you describe, most humans would not be able to simply stab the male end into the exact spot on the first try, while trying to also be surreptitious.

      LOL, you been watching too many spy movies! So you spend several weeks/months Building up and coding/debugging an FPGA and TB chip gadget (and you better hope the protocol isn't too hairy), just so you can infect a few laptops before someone catches you and smashes both you AND your gadget into Raspberry Pie?!? Hilarious!

    15. Re:So... how screwed am I? by Anubis+IV · · Score: 1

      You're fine, says another researcher who was also presenting at this last Black Hat. Most relevant line:

      Is there anything I need to do?

      No, nearly everyone can ignore Thunderstrike 2 entirely. The research really is excellent, compelling work that the Wired piece unfortunately turned into a bit of a fright-fest.

      Apple exploits tend to be reported in more breathless terms than ones of comparable severity on other platforms (whether that's because tossing "Apple" in a headline makes for a lot of pageviews or because Apple beat reporters tend to be more clueless about malware, I can't say), which can make it hard to tell just how serious they actually are. In this case, both 10.10.4 and the latest betas of 10.11 already have fixes in place that prevent this particular attack. Moreover, in order to be infected in the first place, it requires that you either download the malware and execute it as an administrator, or that you allow someone to connect an infected Thunderbolt dongle to your machine.

    16. Re:So... how screwed am I? by viperidaenz · · Score: 1

      If it takes too long for Apple to fix it, people may start making and selling infection devices.
      They're probably already on the next version of the NSA ANT catalog

    17. Re:So... how screwed am I? by macs4all · · Score: 1

      If it takes too long for Apple to fix it, people may start making and selling infection devices. They're probably already on the next version of the NSA ANT catalog

      Too late, and too small a vulnerability (however nasty). I just learned that only one version of OS X is affected (10.10 Yosemite), and, as previously reported, the REMOTE part of the Vulnerability has been patched in 10.10.2 and fortified in 10.10.4. Apparently, the beta builds of 10.11 (El Capitan) are already patched, 'natch.

      And I am sure Apple is working hard now on closing the "Evil Maid" vulnerability, too.

  5. False! False false false! More Mac FUD! by jpellino · · Score: 3, Funny

    Unicorns are *not* free! You should see what they get for the special Unicorn Chow they eat, and trust me they don't stock that stuff at TSC.

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
  6. Re:Would a port of systemd to OS X defend against by NotDrWho · · Score: 0

    Sure, but the unicorns only work with Apple saddles.

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
  7. Re:1...2...3.... by ArmoredDragon · · Score: 0, Flamebait

    Actually it's been scientifically proven that Apple fans view that brand as they would a religion:

    http://www.pcmag.com/article2/...

  8. Re:1...2...3.... by NotDrWho · · Score: 1, Flamebait

    You just don't understand. Owning Apple is a way for hipsters to demonstrate their originality and reject the herd mentality of you PC users. This is achieved by buying all Apple products like every other hipster.

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
  9. Make the BIOS readonly .. by nickweller · · Score: 1

    Didn't there used to be a pin setting on the motherboard that prevented writing to the BIOS ..

    1. Re:Make the BIOS readonly .. by drinkypoo · · Score: 1

      Didn't there used to be a pin setting on the motherboard that prevented writing to the BIOS ..

      With the quickest of google searches I found an ECS mainboard which had one just five years ago, so I suspect some boards still have this.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  10. Sorry man. by HideyoshiJP · · Score: 1

    I didn't meant to hurt you. I didn't mean to thunderstrike you.

  11. Re:Would a port of systemd to OS X defend against by macs4all · · Score: 0

    It's not needed. Everybody knows that macs don't get malware and come with a free unicorn.

    No. It's not needed because Apple already has launchd, which is from which systemd was copied.

  12. Re:You've been thunderstruck....again by BronsCon · · Score: 1

    Apple is in California, so the original lyrics work, as well.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  13. Not true. You can put a Wintec saddle on them, by jpellino · · Score: 1

    but a special set of bootstraps are required.

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
  14. Re:Would a port of systemd to OS X defend against by Anonymous Coward · · Score: 0

    ah so that's why it's so crappy.

  15. Re:Would a port of systemd to OS X defend against by macs4all · · Score: 0

    ah so that's why it's so crappy.

    No. Systemd is so crappy because it's a bad ripoff of the IDEA behind launchd. Launchd has been booting Macs and doing lotsa other stuff on them pretty much without incident since OSX 10.4 (Tiger). That's about a decade ago.

    Systemd is just an amateur-hour horrorshow.

  16. Re:You've been thunderstruck....again by KGIII · · Score: 1

    Unfortunately, and I mean that as nicely as possible, I now have AC/DC's Thunderstruck stuck in my head. Well, no, I have the general sound of it. I know like three words which are mostly gut noises and the word 'thunderstruck' and it is not all that enjoyable, really.

    --
    "So long and thanks for all the fish."
  17. Re:Would a port of systemd to OS X defend against by MachineShedFred · · Score: 1

    This is a troll, but OS X already has a pre-existing systemd-ish process control, called launchd which was open sourced under the Apache license like 10 years ago.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.