The hack was presented yesteryear programming goodness Trammell Hudson at the annual Chaos Computer Congress (30C3) in Hamburg Germany. He demonstrated that it is possible to rewrite the firmware of an Intel Thunderbolt Mac.
The hack, dubbed Thunderstrike, genuinely takes wages of a years-old vulnerability inwards the Thunderbolt Option ROM that was starting fourth dimension disclosed inwards 2012 but is even then to live on patched. Thunderstrike tin infect the Apple Extensible Firmware Interface (EFI) by allocating a malicious code into the kicking ROM of an Apple reckoner through infected Thunderbolt devices.
The hack is genuinely unsafe as, according to the researcher, in that place is no way for the user to uncovering the hack, or take it fifty-fifty yesteryear re-installation of the consummate OS X, solely because the malicious code genuinely is inwards the system’s ain split ROM.
"Since the kicking ROM is independent of the operating system, reinstallation of OS X volition non take it. Nor does it depend on anything stored on the disk, then replacing the difficult drive has no effect. Influenza A virus subtype H5N1 hardware in-system-programming device is the solely way to restore the stock firmware."
Hudson too showed that he could supercede Apple's ain cryptographic primal amongst a novel one, which volition preclude legitimate firmware updates from beingness accepted.
"There are neither hardware nor software cryptographic checks at kicking fourth dimension of firmware validity, then 1 time the malicious code has been flashed to the ROM, it controls the arrangement from the really starting fourth dimension instruction," Trammell Hudson said. "It could utilisation SMM in addition to other techniques to cover from attempts to uncovering it."
In add-on to writing a custom code to the kicking ROM, Hudson’s presentation too notes a method yesteryear which the bootkit could replicate itself to whatever attached Thunderbolt device, giving it the mightiness to spread across fifty-fifty air-gapped networks.
In short, an assailant could utilisation the vulnerable Thunderbolt port to install a custom bootkit, which could fifty-fifty replicate itself to whatever other Thunderbolt-attached device, thereby spreading all over across the networks.
You tin sentinel the entire presentation given yesteryear Hudson below in addition to tin too advert this blog post to know to a greater extent than nearly Thunderstrike.
As far equally Hudson knows, in that place are no Mac firmware bootkits inwards the wild in addition to at this time, it exists solely equally a proof-of-concept. So, nosotros tin presume that the vulnerability tin solely live on exploited if the assailant has physical access to the Thunderbolt Mac. Therefore, a regular Mac user need non to worry nearly the hack.
Apple has already patched utilisation of the vulnerability inwards the latest Mac mini in addition to on the iMac amongst 5K Retina Display, which volition presently live on available for other Macs.
