Trammel Hudson gave a talk at the recent 31C3 event in Hamburg, Germany, during which he described an attack called Thunderstrike, a OSX bootkit delivered either through direct access to the Apple hardware or via a thunderbolt-connected peripheral device.
The end result is the installation of malicious firmware on an Apple machine that would survive reinstallation of OS X or replacement of the Solid State Drive (SSD). Thunderstrike is undetectable, Hudson said, and can be used for root access to an infected computer, putting all of its data and web traffic at risk for interception and monitoring.
Hudson’s bootkit takes advantage of a vulnerability in how Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update. In these cases, the flash is left unlocked, allowing an Option ROM, or peripheral firmware, to run during recovery mode boots. It then has to slip past Apple’s RSA signature check. Apple stores its public key in the boot ROM and signs firmware updates with its private key. The Option ROM over Thunderbolt circumvents this process and writes its own RSA key so that future updates can only be signed by the attacker’s key. The attack also disables the loading of further Option ROMs, closing that window of opportunity. A weaponized version of this attack would have free ring0 reign over the system.
How do we prevent Thunderstrike?
Apple has a partial fix that they have started shipping in the new Mac Mini’s and iMac Retinas, and they plan to release it for older Macs soon as a firmware update. Their fix is to not load Option ROMs during firmware updates, which is effective against the current proof-of-concept.
However… it is not a complete fix. Option ROMs are still loaded on normal boots, allowing snare’s 2012 attack to continue working. Older Macs are subject to downgrade attacks by “updating” to a vulnerable firmware version.
Thunderstrike could also eventually be done remotely using the Dark Jedi attack.
Dark Jedi attack is an exploit presented at 31C3 by Corey Kallenberg and Rafal Wojtczuk. Their talk exposed vulnerabilities in UEFI that allows an attacker to re-flash firmware and run their own malicious firmware.