New proof-of-concept ‘Thunderstrike’ bootkit for OS X can permanently backdoor Macs

“Securing Macs against stealthy malware infections could get more complicated thanks to a new proof-of-concept exploit that allows attackers with brief physical access to covertly replace the firmware of most machines built since 2011,” Dan Goodin reports for Ars Techinca. “”

“Once installed the bootkit — that is, malware that replaces the firmware that is normally used to boot Macs — can control the system from the very first instruction. That allows the malware to bypass firmware passwords, passwords users enter to decrypt hard drives and to preinstall backdoors in the operating system before it starts running,” Goodin reports. “Because it’s independent of the operating system and hard drive, it will survive both reformatting and OS reinstallation. And since it replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected boot systems. The proof-of-concept is the first of its kind on the OS X platform. While there are no known instances of bootkits for OS X in the wild, there is currently no way to detect them, either.”

“The malware has been dubbed Thunderstrike, because it spreads through maliciously modified peripheral devices that connect to a Mac’s Thunderbolt interface,” Goodin reports. “When plugged into a Mac that’s in the process of booting up, the device injects what’s known as an Option ROM into the extensible firmware interface (EFI), the firmware responsible for starting a Mac’s system management mode and enabling other low-level functions before loading the OS. The Option ROM replaces the RSA encryption key Macs use to ensure only authorized firmware is installed. From there, the Thunderbolt device can install malicious firmware that can’t easily be removed by anyone who doesn’t have the new key.”

Much more in the full article here.

[Thanks to MacDailyNews Reader “David G.” for the heads up.]

14 Comments

    1. Not that simple. What about at border crossings? Airport screenings?

      And we already know that the NSA intercepts hardware in-transit to install surveillance software (supposedly only to foreign buyers).

    2. Not exactly correct. All you need to do is plug in a compromised Thunderbolt device. Do you not use any Thunderbolt devices?
      The large majority of these Thunderbolt devices are manufactured in China. You don’t know what’s in there.

  1. The security flaw that allows this problem is similar to a flaw in Firewire whereby connected external devices could maliciously access the computer. Apple has known about these flaws for a long period of time. What’s new is the proof-of-concept kit which of course makes exploitation of this flaw far more likely and imminent. It is up to Apple to solve this situation.

    Meanwhile: YES, physical access to your devices is REQUIRED. A malicious external device must be connected to your device in order for the exploit to occur.

    Of note: USB has it’s own similar security flaw. That flaw has been known for years and has not been patched. The USB flaw is actually far more dangerous because users very commonly plug their devices into USB charging terminals at airports, etc. If those terminals have been made malicious, data on the connected devices can be accessed, stolen, erased or changed.

    ∑ = Be careful what you plug into your devices.

    1. Hi Derek,

      When you said:
      “The USB flaw is actually far more dangerous because users very commonly plug their devices into USB charging terminals at airports, etc.”

      Q: I have not been to an airport recently to see a USB charging station — So if the charging station is infected, then by plugging in any USB device (iPhone, iPad, iPod, and, what else, for example?), then the device would or could be infected?)
      Just wanted more info here.
      Thanks.
      -Dogadoga

  2. Also new, specific to Mac security:

    Spotlight search in Yosemite exposes private user details to spammers
    Search feature overrides widely used setting blocking remote images.

    Using the Spotlight search feature in OS X Yosemite can leak IP addresses and private details to spammers and other e-mail-based scammers, according to tests independently performed by two news outlets.

    This problem isn’t going to PWN your Mac, but it gives away aspects of your privacy. Spamrats happily gnaw away at any personal tidbit they can obtain. In this case, they are using what are called web bugs, which verify who exactly opened their spam on a computer. It relays the victim’s IP address. Further spam then results.

    ∑ = Keep “load remote content in messages” in Apple Mail turned OFF. Wait for Apple to patch this Spotlight blunder that turns it back on again for searches. Silly Apple.

  3. OK, I request some clarification. This and the USB issue only require one to plug in a dongle (thunderbolt or USB that has been corrupted? Correct?

    If that is all, then this is serious as most dongles come from China and we know how corrupt they are!!

    If, on the other hand, one requires the corrupt dongle and having to hit several really odd key combinations, then we are pretty safe. And the articles all seem to want to push their own message so I am left confused.

    Any good input is appreciated.

  4. Brief physical access, at my house and the dog will try to chew your arm off.

    Securing my Macs is a very dangerous operation that might cause amputation.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.