“Trammell Hudson, an employee of high-tech hedge fund Two Sigma Investments, created something of a storm late last year with his Thunderstrike exploit on Apple Macs,” Thomas Fox-Brewster reports for Forbes. “t was the first time anyone had demonstrated a Mac bootkit – malware that launches ahead of the operating system, from the moment the PC starts, and is hidden from security tools, most of which don’t delve so deep inside Macs’ innards. It’s probably the most surreptitious, devilish kind of malware one can get onto a PC, effectively granting an attacker total control over the computer.”
“There was one major barrier to exploitation outside of labs, however: it required physical access to the target PC,” Fox-Brewster reports. “But now Hudson has collaborated with self-proclaimed ‘voodoo’ researchers Xeno Kovah and Corey Kallenberg, Mac bootkits can now be delivered from anywhere on the planet. They could also jump between machines over infected Thunderbolt devices, creating a ‘firmworm.'”
“To get that bootkit up and running, there are numerous paths a malicious hacker could take. The one the trio will show off at the Black Hat security conference in Las Vegas this week will assume the attacker already has root control over the machine. Getting to that point is not the simplest of tasks on Apple Macs, but an Oracle ORCL -0.68% Java or Adobe Flash exploit would do the trick,” Fox-Brewster reports. “In the video below, Hudson shows how an attack can jump from OROMs, to the BIOS, and back to the OROMs, primed to infect another Mac.”
Read more in the full article here.
MacDailyNews Take: Firmworm? Sounds like something starring in the U.S. NSA’s wet dream.
EFI firmware attacks. Proof that not everything about Apple’s switch x86 was peachy keen.
[An effective] countermeasure would involve hardware vendors giving users the ability to easily read their machine’s firmware to determine if it has changed since installation. If vendors provided a checksum of the firmware and firmware updates they distribute, users could periodically check to see if what’s installed on their machine differs from the checksums. A checksum is a cryptographic representation of data that is created by running the data through an algorithm to produce a unique identifier composed of letters and numbers. Each checksum is supposed to be unique so that if anything changes in the dataset, it will produce a different checksum.
But hardware makers aren’t implementing these changes because it would require re-architecting systems, and in the absence of users demanding more security for their firmware, hardware makers aren’t likely to make the changes on their own.
“Some vendors like Dell and Lenovo have been very active in trying to rapidly remove vulnerabilities from their firmware,” Kovah notes. “Most other vendors, including Apple as we are showing here, have not. We use our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security.”
Apple, who are all in on privacy, certainly should work to fix this problem.
That said, of course the old rule still applies: Do not enter your Mac OS X admin password to install anything from an unknown and/or untrusted source.
Apple secures Macs against ‘Thunderstrike’ attacks in OS X 10.10.2 – January 24, 2015
Macs vulnerable to virtually undetectable malware that ‘can’t be removed’, but physical access is required – January 12, 2015
New proof-of-concept ‘Thunderstrike’ bootkit for OS X can permanently backdoor Macs – January 9, 2015
[Thanks to MacDailyNews Reader “Edward W.” for the heads up.]