“A security researcher has discovered a way to infect Macs with malware virtually undetectable and that ‘can’t be removed,'” Adrian Kingsley-Hughes reports for ZDNet. “The attack, which has been called Thunderstrike, installs the malicious code into the Boot ROM of the system via the Thunderbolt port.”
“Trammell Hudson, who works for hedge fund Two Sigma Investments and is also the creator of the Magic Lantern open-source programming environment for Canon DSLRs, discovered the vulnerability after his employer asked him to look into the security of Apple notebooks,” Kingsley-Hughes reports. “After initially discovering that the Boot ROM could be tampered with if the notebook was physically dismantled to give access to the chip soldered onto the motherboard, he then refined this technique so the attack could be carried out via the system’s Thunderbolt port. ‘It turns out that the Thunderbolt port gives us a way to get code running when the system boots,’ Wrote Hudson. ‘Thunderbolt brings the PCIe bus to the outside world and at boot time the EFI firmware asks attached devices if they have any Option ROMs to be run.'”
“And once it is on your system, it is incredibly hard to remove,” Kingsley-Hughes reports. “Fortunately, Hudson reports that Apple is working on an update that will prevent malicious code from being written to the Boot ROM via the Thunderbolt port. However, this update would not protect the system from having the Boot ROM tampered with directly.”
Read more in the full article here.
MacDailyNews Take: Much ado about pretty much nothing, unless you’re 007 or something, in which case you shouldn’t be leaving your MacBook unguarded with the maid or anybody else. This is a good thing because it leads directly to Apple hardening the Thunderbolt port.
Related article:
New proof-of-concept ‘Thunderstrike’ bootkit for OS X can permanently backdoor Macs – January 9, 2015
Funniest one ever – Macs are vulnerable – lookout for a guy with a screwdriver and a soldering iron! IT CAN’T BE FIXED!!!
Yes, I read it folks. But come on, this one is funny.
unattended Macs are vulnerable to being exchanged entirely!
Exchanged, heck, just clone the documents folder in a few minutes when you have access and the owner may not be the wiser.
Or, again, unsolder the /Users folder and take it with you!
Lol
News Flash: According to Braindead Analysts, unauthorized dismantling of your Mac can lead to the installation of explosives capable of blowing up your house. A spokesman for the company recommends that all Mac users get rid of their computers immediately.
😆
Windows’ latest security hole
Google is putting pressure on Microsoft to fix a security flaw in Windows, said Chris Welch in TheVerge.com. Google’s security research team revealed last week that a flaw in Microsoft’s Windows 8.1 software “allows low-level users to gain administrator privileges” on Windows machines. But Google’s decision to go public came with “one big problem: There was no fix from Microsoft.” That means some Windows customers—especially business users—face “a legitimate threat” from users who wish to exploit the vulnerability. Microsoft, which has known about the flaw since September, says a software update is now on the way.
Guess I must have missed all the “Microsoft is Doomed” press releases about this? Oh, it isn’t Apple! /s
Like I would ever leave me baby alone, get real!
I don’t get this. The claim: you can plug in an infected device into your Mac, the Mac’s firmware will be rewritten with a new “key” which can’t be removed. However the makers of the malformed firmware could update it because they have the key.
How is it, these hackers, with their ill spying firmware, is supposed to be much better than Apple, where they can bypass Apple’s own security, wiping and overwriting their key, firmware signatures, but Apple could not come back and do the same?
Why couldn’t Apple just change their firmware to prevent this type of attack?
To me it seems there’s a logical problem with the researcher’s announcement. It smacks of F.U.D. + government & corporate espionage. Anyway, I can’t see this as being particularly critical, but it’a all beyond me, from an engineer’s point of view.
Apple can/will. The mostly likely solution will be that all TB hardware will have to be certified / keyed by Apple and enabled by firmware update from Apple.
If their hardware cert process is as smooth as their App Store process, they’ll be effectively locking out all but the biggest manufacturers and thunderbolt as a platform will be stifled.
Bummer.
Don’t forget about this: http://www.forbes.com/sites/erikkain/2013/12/29/report-nsa-intercepting-laptops-ordered-online-installing-spyware/
We don’t know how plausible it is and if they can intercept Apple computers, but it is one possible way of being infected BEFORE you ever get your hands on the computer.
No Thunderbolt connection means many are safe then.
How dumb – this is total FUD
Thanks for the heads up!
I put a glob of epoxy over each of the screws on my laptop and glued a thunderbold plug into the jack and broke it off. Now I feel much safer.
What this, and last week’s, Thunderbolt hands-on attack is going to do is get Apple moving to block the problems. That will be great.
Your turn Apple…
Also, as I pointed out last week, USB has a VERY long-standing problem of similar security peril. Nothing to solve it has been forthcoming from Intel, who invented and maintain USB.
USB doesn’t have direct memory access to the “core” of the system like Thunderbolt and Firewire before it, though. TB and FB are like external PCI access: maximum possible speed with minimal overhead.
Excellent points!
Uhh, you may want to check out BadUSB https://srlabs.de/badusb/
I didn’t dismiss the fact USB can hijack a computer, just that (by design anyway, unless it’s changed recently) USB is not supposed to be direct-linked to system memory the way TB, FW and PCI are.
Granted it’s a meaningless distinction for non-technical users, the same way trojan horses technically aren’t viruses. Both are malware of course.
Obviously there are serious flaws in USB from the more benign (no signed device IDs needed, which let Palm spoof their devices as iPods) to the very serious (USB devices attacking connected devices), that need to be addressed.
This headline is really over the top drama over nothing. Physical access to anyone’s computer is hard in itself. Breaking into a password protected Admin password isn’t an easy task either. And whomever would have to know you really well to even want to attempt something like this. Really comes down to the 007 spy stuff which 99.9% of us are not going to be effected. Yes it maybe possible but Windows machines would be more easily effected than any Macs out there. Try making up B.S. about them because this story is really bad!
It still in noteable in that it may result in people being more careful of the origins of the peripherals they purchase for their Macs. It is entirely possible for the users to do it themselves without any knowledge by buying ‘infected’ hardware.
Gorilla tape placed over T-Bolt port. Problem solved.
anyone with a usb drive can boot to an os and change whatever. bah. It just makes apple add a security block to the next gen of computers.