Hack flings bootkits from Macs' Thunderbolts

Thunderbolt not lightning, very, very frightening

12 Reg comments Got Tips?

Researcher Trammel Hudson has developed a means to foist a new class of bootkits onto Macs, using Thunderbolt devices using a form of USB 'evil maid' attacks.

Hudson will present the finding at the upcoming Chaos Communications Congress in Germany next week and said the attacks are easy to perform using the Thunderbolt ports and would persist across reboots.

The bootkit would also survive reinstallation of operating systems and replacement of hard drives.

"Once installed, it can prevent software attempts to remove it and could spread virally across air-gaps by infecting additional Thunderbolt devices," Hudson said in the synopsis of his talk.

"It is possible to use a Thunderbolt Option ROM to circumvent the cryptographic signature checks in Apple's EFI firmware update routines.

"This allows an attacker with physical access to the machine to write untrusted code to the SPI flash ROM on the motherboard and creates a new class of firmware bootkits for the MacBook systems."

The attack could also infect Thunderbolt devices allowing it to quietly spread across network air-gaps.

It worked in part because of a lack of firmware validity hardware and software cryptographic checks at boot allowing malcode to immediately control MacBooks.

The proof of concept bootkit replaced Apple's ROM public RSA key preventing attempts to replace it, while it could employ System Management Mode among other unspecified techniques to cloak itself.

Hudson said an in-system-programming device was the only way to kill the bootkit and restore stock firmware.

It relied on a two-year old Option ROM vulnerability which could be closed off but Hudson said problems remain with Apple's EFI firmware security.

"...the larger issue of Apple's EFI firmware security and secure booting with no trusted hardware is more difficult to fix," he said. ®


Biting the hand that feeds IT © 1998–2020