Programming expert and security researcher Trammel Hudson demonstrated at the recent Chaos Computer Congress in Hamburg that it is possible to rewrite the firmware of an Intel Thunderbolt Mac. The hack, known as Thunderstrike, allocates a malicious code into the boot ROM of an Apple computer through infected Thunderbolt devices. As it only attacks the Apple Extensible Firmware Interface (EFI), reinstallation of the OS is futile.
“Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the harddrive has no effect. A hardware in-system-programming device is the only way to restore the stock firmware” Trammel Hudson.
Once the untrusted code has been flashed to the firmware, it makes itself impossible to remove since it completely replaces Apple’s RSA key. Anything that isn’t signed by the attacker’s private key, including updates, are denied. On top of that, the code is capable of replicating itself to option ROMs in other thunderbolt hardware connected to an infected Thunderbolt Mac. Detection of the attack is almost impossible, as compromised computers seem to function normally.
But not all the news for Tunderbolt Mac users are so fatalist as they seem. Apple has already implemented a fix for the latest mac mini and iMacs with retina display. And according to Hudson, he has not found any firmware bootkits in the wild, so it can be presumed that the vulnerability can only be exploited if the attacker has physical access to the Thunderbolt Mac.
This hacking method reminds of the antics recently displayed by the NSA, who intercepted whole shipments of computers to install bootkits on them before they reached their final buyers. Once infected, this first batch of incubated machines can easily spread the malevolent code through something as harmless and ubiquitous as a Thunderbolt monitor in a hotel business center.
The slides from Hudson’s lecture demonstration are publicly available on Flickr, and he has posted a 1 hour video on his website. He states that he has been in contact with Apple regarding this security risk, and that the information on his slides provide enough “pseudo-code” to allow other researchers to verify the hack, yet his findings will not make it easy for those eager to exploit it.
This demonstration is in a similar vein to the one made a year earlier at the same Chaos Computer Congress by hacker Jan Krissler. In his presentation he showed how it was possible to use lifted fingerprints to fool Touch ID, and even suggested that the trick could be performed only using a finger photograph.
This article was syndicated from Business 2 Community: Security Researcher Says Thunderbolt Macs Vulnerable, Rewrites Firmware Over Thunderbolt
More Technology & Innovation articles from Business 2 Community: