Slashdot Mirror
Thunderstrike2 Details Revealed
An anonymous reader writes: Prior to DefCon and BlackHat, we learned that Trammell Hudson had developed a firmware worm for Apple machines that could spread over Thunderbolt hardware accessories. Now that both conferences have finished, Hudson has published slides and an annotated transcript detailing how the worm works.
A brief quote: "Thunderstrike 2 takes advantage of four older, previously disclosed vulnerabilities. These had all been known and fixed on other platforms, but not on Apple's MacBooks. ... Speed Racer (Incorrect BIOS_CNTL configuration, 2014, VU#766164), Darth Venamis (S3 boot script injection, 2014, VU#976132) Snorlax (Flash configuration is not set after S3 sleep, 2013 VU#577140) and PrinceHarming (2015) Unsigned Option ROMs (2007, 2012). ... While we're looking at Apple specifically in this research, the overall message is that many vendors are not keeping up to date and are not responding to CERT, especially if it requires effort to port or test vulnerabilities from other vendor platforms."
A brief quote: "Thunderstrike 2 takes advantage of four older, previously disclosed vulnerabilities. These had all been known and fixed on other platforms, but not on Apple's MacBooks. ... Speed Racer (Incorrect BIOS_CNTL configuration, 2014, VU#766164), Darth Venamis (S3 boot script injection, 2014, VU#976132) Snorlax (Flash configuration is not set after S3 sleep, 2013 VU#577140) and PrinceHarming (2015) Unsigned Option ROMs (2007, 2012). ... While we're looking at Apple specifically in this research, the overall message is that many vendors are not keeping up to date and are not responding to CERT, especially if it requires effort to port or test vulnerabilities from other vendor platforms."
Unicorns are *not* free! You should see what they get for the special Unicorn Chow they eat, and trust me they don't stock that stuff at TSC.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Always assume the "evil maid" scenario could happen.
If dropping infected USB sticks into a parking lot and seeing who picks them up and plugs them in works, the "evil maid" is a subset of all things in which you can trick people into plugging in your exploit. Social engineering is a remarkable way around security.
It also says if you have a portable Thunderbolt device and ever use it anywhere from home, your own stuff could be the 'remote' vector.
One person's theoretical vulnerability can often become a real exploit before long.
Lost at C:>. Found at C.
First of all, keep an eye on the updates. They should automatically install (or at least warn of their availability) by default. Apple can push out a separate EFI upgrade or it can be be a part of the next big update (10.10.5 for instance, which is imminent). I expect some or all of these to be fixed fairly quickly.
In the mean time, make sure that you haven’t disabled Gatekeeper (which is on by default). While Gatekeeper can’t defend against infected peripherals you stick in your Thunderbolt port, it can protect against online attacks trying to infect your machine with the Thunderstrike payload. And the chances of being infected through the internet (malicious ads, drive-by downloads, trojans etc.) are far greater than through a peripheral as it can take months or years before an old-fashioned physical malware spread reaches your machines. That’s one of the downsides of the internet, it has made the spreading of malware incredibly fast.
Unless Apple somehow fixes this the only truly working method would be to desolder all Thunderbolt-connectors or fill them with glue or something.
And what do I do to stay unscrewed? a serious question from a Macbooker. /I'm expecting much hate but some wisdom embedded in the barbs
It looks like if you are either:
1. An owner of a Mac MANUFACTURED after June, 2014; and/or,
2. Running at least OS X 10.10.4
You are safe from any REMOTE Thunderstrike(2) Attacks.
HOWEVER, you STILL have to be vigilant against the "Evil Maid" (someone deliberately sticking an infected Thunderbolt Ethernet Adapter, or an infected Thunderbolt-connected SSD into your computer while you aren't present/looking), and DON'T borrow/lend either of those two classes of Thunderbolt devices to/from ANYONE.
And you should, for all intents and purposes, be ok.
Now you're just making up acronyms...
All it takes is one ad server where the owners don't care what code some client uploads, and it means massive, almost instantaneous infections. With IP limiting tools, it could be a targeted attack from a direction that is relatively unexpected.
Next to the excellent suggestions of the parent, I would also recommend 1-2 additions:
If possible, run your Web browsing as a non-admin user, and switch to the admin user when needed. This adds one additional layer.
Of course, the best thing is to use some form of virtualization so that malware doesn't ever get to touch bare metal. Even though they have happened, exploits that allow malware to leak out of a VM tend to be rare. In fact, the norm should be to run as little on bare metal as possible, but in the real world, that isn't doable for more than web browsing.