Slashdot Mirror
Thunderstrike2 Details Revealed
An anonymous reader writes: Prior to DefCon and BlackHat, we learned that Trammell Hudson had developed a firmware worm for Apple machines that could spread over Thunderbolt hardware accessories. Now that both conferences have finished, Hudson has published slides and an annotated transcript detailing how the worm works.
A brief quote: "Thunderstrike 2 takes advantage of four older, previously disclosed vulnerabilities. These had all been known and fixed on other platforms, but not on Apple's MacBooks. ... Speed Racer (Incorrect BIOS_CNTL configuration, 2014, VU#766164), Darth Venamis (S3 boot script injection, 2014, VU#976132) Snorlax (Flash configuration is not set after S3 sleep, 2013 VU#577140) and PrinceHarming (2015) Unsigned Option ROMs (2007, 2012). ... While we're looking at Apple specifically in this research, the overall message is that many vendors are not keeping up to date and are not responding to CERT, especially if it requires effort to port or test vulnerabilities from other vendor platforms."
A brief quote: "Thunderstrike 2 takes advantage of four older, previously disclosed vulnerabilities. These had all been known and fixed on other platforms, but not on Apple's MacBooks. ... Speed Racer (Incorrect BIOS_CNTL configuration, 2014, VU#766164), Darth Venamis (S3 boot script injection, 2014, VU#976132) Snorlax (Flash configuration is not set after S3 sleep, 2013 VU#577140) and PrinceHarming (2015) Unsigned Option ROMs (2007, 2012). ... While we're looking at Apple specifically in this research, the overall message is that many vendors are not keeping up to date and are not responding to CERT, especially if it requires effort to port or test vulnerabilities from other vendor platforms."
First of all, keep an eye on the updates. They should automatically install (or at least warn of their availability) by default. Apple can push out a separate EFI upgrade or it can be be a part of the next big update (10.10.5 for instance, which is imminent). I expect some or all of these to be fixed fairly quickly.
In the mean time, make sure that you haven’t disabled Gatekeeper (which is on by default). While Gatekeeper can’t defend against infected peripherals you stick in your Thunderbolt port, it can protect against online attacks trying to infect your machine with the Thunderstrike payload. And the chances of being infected through the internet (malicious ads, drive-by downloads, trojans etc.) are far greater than through a peripheral as it can take months or years before an old-fashioned physical malware spread reaches your machines. That’s one of the downsides of the internet, it has made the spreading of malware incredibly fast.