Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Portables (Apple) Security Apple

Thunderbolt Rootkit Vector 163

New submitter Holi sends this news from PC World: Attackers can infect MacBook computers with highly persistent boot rootkits by connecting malicious devices to them over the Thunderbolt interface. The attack, dubbed Thunderstrike, installs malicious code in a MacBook's boot ROM (read-only memory), which is stored in a chip on the motherboard. It was devised by a security researcher named Trammell Hudson based on a two-year old vulnerability and will be demonstrated next week at the 31st Chaos Communication Congress in Hamburg.
This discussion has been archived. No new comments can be posted.

Thunderbolt Rootkit Vector

Comments Filter:
  • In other news... (Score:1, Insightful)

    by Anonymous Coward

    An attacker with physical access to the target is usually a bad thing (tm),

    • Definitely. At that point you probably shouldn't call him "hacker". You should refer to him using his proper moniker, "Agent"

    • Re:In other news... (Score:4, Interesting)

      by Fwipp ( 1473271 ) on Tuesday December 23, 2014 @03:10PM (#48662221)

      But when all it requires is connecting an arbitrary malicious Thunderbolt device - a root-kit could be installed when you dock your computer, or connect to a monitor or ethernet/firewire adapter, or even a mouse.

      Yes, "mission-critical" security systems should already be physically isolated. But not everything is physically isolated (work laptops, for instance), and this class of attack makes it easier to covertly compromise devices, even while in plain view. Would all of your coworkers object to someone plugging in a mouse on their laptop?

      • by Bengie ( 1121981 )
        IOMMU can already control DMA access. Secure boot can restrict what images can boot, the images can restrict what devices have DMA access, and after granting DMA access, what memory ranges they have access to. We already have the tech to handle this situation, it's just a lack of implementation or a poor implementation.
        • by fuzzyfuzzyfungus ( 1223518 ) on Tuesday December 23, 2014 @04:20PM (#48662829) Journal
          I'm frankly surprised to hear that Apple still manufactures a device that will boot after you tinker with its boot ROM. The notion that a device that is, for most purposes, right on the PCIe bus can scribble all over the place isn't exactly a shock; but it doesn't seem much like Apple to build hardware that would still boot if the cryptographic signatures didn't check out.
          • And what checks that signature? Code running from ROM perhaps?

            • And what checks that signature? Code running from ROM perhaps?

              In UEFI secure boot firmware can only be updated by a *signed* package. A thunderbolt attack would only be able to *request* a change to firmware, but it would have been rejected had Apple implemented secure boot.

      • Re:In other news... (Score:4, Interesting)

        by fuzzyfuzzyfungus ( 1223518 ) on Tuesday December 23, 2014 @04:18PM (#48662811) Journal
        Plus, thunderbolt daisy-chains, so (if you are handy with rework tools or Intel ever gets the stick out of their ass about selling the chips) the malicious device could either be a (subverted) normal looking peripheral or a surprisingly small lump lurking within a thunderbolt cable or somewhere within the chain.

        The proof of concept is probably a big hairy bundle of prototype that would get you arrested if you brought it to an airport; but a slightly more polished variant could be squirreled away in quite a few places. The volume and power required to implement an entire single-purpose attacker device is already fairly small, getting into "eh, probably just one of those EMI ferrite things" territory, and not going to get any larger; plus the options available in either embedding the attacker device in the case of a legitimate device or modifying a legitimate device's firmware.

        The truly paranoid user might not be vulnerable; but few users are paranoid enough to qualify.
    • by perpenso ( 1613749 ) on Tuesday December 23, 2014 @04:13PM (#48662773)

      An attacker with physical access to the target is usually a bad thing (tm),

      The attacker does not need physical access. All the attacker needs to do is sell hacked thunderbolt cables on ebay or alibaba.

    • Re:In other news... (Score:5, Interesting)

      by sumdumass ( 711423 ) on Tuesday December 23, 2014 @08:08PM (#48664431) Journal

      While this is true, the attacker does not need physical access for this. All they need is access to an innocent user who can be convinced to plug something in.

      The FBI and secret service demonstrated this type of attack back in the early 2000s. They dropped usb drives near banks night drop boxes and front doors that pinged a server with the local ip and machine name and wrote a file locally when plugged in with the autorun on. Something like 70% or so pinged. People where plugging them in to try to figure out who's they were to return them.

      Its pretty easy to convince someone to plug something in.

  • uh - by design? (Score:4, Insightful)

    by Nerrd ( 1094283 ) on Tuesday December 23, 2014 @02:51PM (#48662059)
    It shouldn't surprise anybody that a malicious PCI-E card can access a system.
    • Re:uh - by design? (Score:4, Informative)

      by _xeno_ ( 155264 ) on Tuesday December 23, 2014 @02:56PM (#48662107) Homepage Journal

      Well, yes, if you can rip open the computer case and install new hardware, you have complete control over the hardware and that's to be expected.

      Thunderbolt is more like USB to the user - it's a thing you use to connect untrusted devices to your system. You wouldn't expect that plugging in a USB thumbdrive would magically own your system (well, maybe you should, because it's happened in the past, but I think it's fair to say that it shouldn't). You'd think that plugging in a random Thunderbolt device would be designed to be safe. Apparently not: apparently Thunderbolt is unsafe by design.

      The one mitigating factor is that literally no one uses Thunderbolt for anything, so it's not like anyone's likely to be coming across random compromised Thunderbolt devices. Discovering a Thunderbolt device at all would be out of the ordinary.

      • Re:uh - by design? (Score:5, Insightful)

        by darkain ( 749283 ) on Tuesday December 23, 2014 @02:58PM (#48662121) Homepage

        DisplayPort monitor pre-infected with malware?

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          It doesn't even have to be a whole monitor. An innocent looking cable would suffice. Apple's own cables already contain microcontrollers.

      • Re: (Score:3, Informative)

        Thunderbolt is more like USB to the user - it's a thing you use to connect untrusted devices to your system. You wouldn't expect that plugging in a USB thumbdrive would magically own your system (well, maybe you should, because it's happened in the past, but I think it's fair to say that it shouldn't). You'd think that plugging in a random Thunderbolt device would be designed to be safe. Apparently not: apparently Thunderbolt is unsafe by design.

        USB 3.0 has this exact same feature (DMA), so yes, yes you should expect a USB thumb drive to be able to do this.

        • Re:uh - by design? (Score:5, Informative)

          by Holi ( 250190 ) on Tuesday December 23, 2014 @03:10PM (#48662227)

          It can. See BadUSB. [srlabs.de]

        • by I4ko ( 695382 )
          Which is exactly what FireWire was vulnerable to like.. what.. 7 years ago. This is nothing novel.
        • by amorsen ( 7485 )

          USB 3.0 has this exact same feature (DMA), so yes, yes you should expect a USB thumb drive to be able to do this.

          Ethernet controllers work by DMA, yet they do not offer random access to anyone who plugs anything into the bus. There is no inherent reason why DMA means full access.

          Thunderbolt and Firewire are different, in that they are "controllerless". They are simply PCI bridges.

        • Re:uh - by design? (Score:4, Insightful)

          by AmiMoJo ( 196126 ) * on Tuesday December 23, 2014 @05:11PM (#48663289) Homepage Journal

          USB 3.0's DMA is not the same as Thunderbolt's. With USB the host controller configures itself with limited DMA access to a RAM buffer, and then the USB device can only access that buffer by setting up transfers within the USB spec. In fact it can't even specify the address within the buffer or anything like that, the controller handles it all. It's closer to a NIC that supports DMA - it doesn't mean that any device on your network has full access to your computer's RAM.

          Thunderbolt is rather different, because the devices are basically PCI-E cards with a Thunderbolt transceiver bolted on. As such they can do anything that a PCI-E card can do, including accessing all RAM. PC Card devices have the same issue, and so does Firewire. It's a serious issue and tools that exploit it have been available for a while, both open source and commercial. For example: http://www.breaknenter.org/pro... [breaknenter.org]

          The BadUSB attack relies on either exploiting bugs in the USB driver or emulating something like a keyboard and typing commands into a terminal. It's bad, but not nearly as bad as having complete, unfettered access to RAM by design. For example, a locked computer or server that isn't logged in locally is unlikely to be affected by BadUSB because it can't know the login details, but with Thunderbolt you have total access.

          • by dgatwood ( 11270 )

            Thunderbolt is rather different, because the devices are basically PCI-E cards with a Thunderbolt transceiver bolted on. As such they can do anything that a PCI-E card can do, including accessing all RAM. PC Card devices have the same issue, and so does Firewire. It's a serious issue and tools that exploit it have been available for a while, both open source and commercial.

            Here's what I don't get. Back when the G5 came out, Apple used a custom piece of hardware called DART to create a boundary between the

            • by AmiMoJo ( 196126 ) *

              VT-d is used for something else, basically allowing PCI-E devices to access RAM without needing to worry about a >32 bit address space. While it might be possible to prevent this attack with it, that isn't how it is currently used. If a fix can be implemented it might break a lot of drivers.

              The attack is so nasty because when you can overwrite random bits of memory you can modify executable code on the fly. Address randomization doesn't help, you can simply search the entire address space for some suitab

              • by dgatwood ( 11270 )

                All drivers on OS X are already required to tell the operating system ahead of time that a device is about to DMA to memory. That's how that VT-d is able to configure the IOMMU hardware to allow those devices to access RAM without worrying about 64-bit address spaces. So the OS already knows precisely which pages of physical RAM should be accessible by PCIe devices using DMA. If other pages of RAM are accessible, that's a bug.

                Similarly, making the Thunderbolt controller's IOMMU mappings be driven by tha

      • Re:uh - by design? (Score:5, Insightful)

        by jeffb (2.718) ( 1189693 ) on Tuesday December 23, 2014 @03:09PM (#48662213)

        Thunderbolt is more like USB to the user - it's a thing you use to connect untrusted devices to your system.

        Thunderbolt is more like PCIe to the system -- it's a thing you use to connect trusted devices to your system. In fact, it is PCIe, along with DisplayPort.

        The one mitigating factor is that, while there are Thunderbolt devices out there, users are less likely to find one lying in the company parking lot and decide "durr, let me plug this into my work computer and see what's on it". That seems to be a pretty effective delivery method for hostile USB devices.

        • by AmiMoJo ( 196126 ) *

          It's a concern to anyone who travels with a laptop. With Thunderbolt, PC Card or Firewire your laptop is vulnerable even if you lock it. With BadUSB there isn't much it can do if the machine is locked. If customs or some LEA decides they want in they can get everything, including your encryption keys (you did encrypt and use a VPN, right?)

          Hopefully you can somehow disable it to mitigate this attack. I don't know about Macs but most PC UEFI BIOSes allow it to be turned off, along with Firewire and PC Card.

          • by _xeno_ ( 155264 )

            I don't think Mac OS X even has a user-accessible BIOS. I know there's a "special" key combo you can hit to reset whatever they call their equivalent of CMOS settings (it's either NVRAM or PRAM and I have no clue what the difference is or why it matters). (I know this because there's another cute Mac bug that frequently hits my work MacBook where it will forget it has a built-in display because I turned it off while connected to a monitor, so you have to reset it to factory defaults to get it to realize "ma

      • Re: (Score:3, Informative)

        by aitikin ( 909209 )

        The one mitigating factor is that literally no one uses Thunderbolt for anything, so it's not like anyone's likely to be coming across random compromised Thunderbolt devices. Discovering a Thunderbolt device at all would be out of the ordinary.

        You're obviously not in the pro audio world.

        • by Khyber ( 864651 )

          "You're obviously not in the pro audio world."

          You obviously aren't either. Thunderbolt's way overkill for bandwidth requirements, and most onboard sound systems in a typical desktop handle proper mixer outputs and inputs just fine, with pretty much professional noise floors. I get more noise from my guitar amp and distortion pedal than I get recording the line-in with nothing attached/everything turned off.

          Pretty easy setup. [imgur.com] Added bonus, you can't infect through a line-in signal that I'm aware of!

          • Avid's entry level Pro Tools HD system is thunderbolt-based [vintageking.com]. I know at least a dozen people that use it for professional work every day. This is the industry-standard equipment, particularly if you're not going to buy cards.

            USB can do bandwidth for a few audio channels but you need PCIe or Thunderbolt if you want to have a few hundred tracks and still have under 5 milliseconds latency, and you generally need that if you're tracking or comping.

            • by Khyber ( 864651 )

              "you need PCIe or Thunderbolt if you want to have a few hundred tracks and still have under 5 milliseconds latency"

              That's what a mixer board is for [soundcloud.com] and even ASIO drivers don't provide sub 5ms latency. The only thing on this planet providing sub 5ms latency are direct connections from instrument to IEMs, and even then you have to deal with things like comb filtering.

              Yamaha has a good piece on this [yamahaproaudio.com] and I'd take their word well over Avid's, given Yamaha has been in this game FAR longer, starting with musical i

              • Yamaha's piece is marketing for their own software, Nuendo, which is meant to run on ASIO and they're trying to downplay its deficiencies for tracking.

                You seem to have heard of a mixing console, that's good, but a really common setup is to have 20 or 30 microphones coming into the analogue console, passing to Pro Tools, playing back with a few hundred channels of prerecords, getting down mixed in Pro Tools to 96 channels, and then those channels coming up on the console on the tape inputs. And the sound on

                • by Khyber ( 864651 )

                  Yea. I work in Riverside. Done audio and video work for groups such as The Neil Deal and other bands out in Studio City. I have plenty of experience with digital recording and multitracking/overdubbing, starting with Cool Edit back in the late 90s (and some MIDI/MOD/IT tracking.)

                  Simple physics alone is going to dictate that sub 5ms latency is pretty much impossible without your cables being a foot long once you take all the signal pathways, processing overhead, etc. in a piece of hardware into account.

                  Every

                  • I know your kind too well; luckily I know no one younger than 60 that actually goes around telling that you "need a console" for low-latency monitoring. Unless they're analogue purists or console fanboys -- you know, marketing.

                    Simple physics alone is going to dictate that sub 5ms latency is pretty much impossible without your cables being a foot long once you take all the signal pathways, processing overhead, etc. in a piece of hardware into account.

                    I am A BIT surprised that someone with so much experience

                    • by Khyber ( 864651 )

                      Are you forgettingelectrical signals don't propagate at light speed? Bring that up a few more ns. Now toss in all your processing, etc in a digital solution.

                      " Mackie 1404"

                      Not eeeeeeven close, but at least you got the brand right. You're missing the digital /SPDIF and optical outputs on the back - I've timed this from the same equipment and different outputs. Digital adds latency like mad.

                       

      • It has to be unsafe by design. How else can Thunderbolt be even more insanely great than Firewire's "Hey, sure, here's DMA access to the bottom 4GB of my memory space! Don't do anything naughty or nothing, ok?" security model?
      • The one mitigating factor is that literally no one uses Thunderbolt for anything, so it's not like anyone's likely to be coming across random compromised Thunderbolt devices. Discovering a Thunderbolt device at all would be out of the ordinary.

        There was a brief moment that companies released laptops with Thunderbolt (mostly Ivy Bridge platforms). Now its a rare feature outside of Apple's laptops. Microsoft didn't put Thunderbolt into the Surface 3 because of the DMA security concerns and "InstantGo" devices (source: http://technet.microsoft.com/e... [microsoft.com] )

      • by mysidia ( 191772 )

        Thunderbolt is more like USB to the user - it's a thing you use to connect untrusted devices to your system.

        No. USB is not safe [srlabs.de] either. Don't plug untrusted devices into your system's I/O ports, period.

        USB, Firewire, eSATA, SAS, and Thunderbolt do not have a security model.

        Thunderbolt just happens to have more capabilities since there is direct access to the PCI bus, and this is also where the greater performance comes in.

        With greater capabilities and access comes greater possibilities of abuse fr

  • by Anonymous Coward

    installs malicious code in a MacBook's boot ROM (read-only memory)

    Why didn't I think of that.

  • by Severus Snape ( 2376318 ) on Tuesday December 23, 2014 @03:04PM (#48662179)

    If I have physical access to your machine, I'm going to get you one way or another.

    • by QuietLagoon ( 813062 ) on Tuesday December 23, 2014 @03:36PM (#48662433)
      True. But where this attack is unique is that it installs itself in a boot-level device, not on the hard disk, and executed BEFORE the OS starts running. Even re-installing the OS or replacing the hard drive won't disinfect the system.

      .
      Then there's this gem:

      The bootkit can even replace Apple’s cryptographic key stored in the ROM with one generated by the attacker, preventing any future legitimate firmware updates from Apple, the researcher said in a blog post [trmm.net].

      • Sounds like somebody was cargo-culting it on that design decision: systems that are intent on using cryptographic lockdown to resist tampering usually don't store the blessed key in rewriteable memory, for reasons made obvious here. Depending on the hardware, it gets some sort of more aggressively write-once/locked/burned in at the factory and read only/whatever storage, with the data to be cryptographically verified going in the rewritable part. I suppose it still functions as a sort of checksum; but not r
    • If I have physical access to your machine, I'm going to get you one way or another.

      You don't need physical access. Thunderbolt cables have an integrated microcontroller, its one of the reasons the cables are expensive. In theory a hacker could add additional electronics and sell / give away cables.

    • by AmiMoJo ( 196126 ) *

      Not really... Say you have a running but locked laptop in front of you. If it is turned off you are probably screwed since the contents will be encrypted, hopefully. So how do you unlock the machine without knowing the password? With Thunderbolt, Firewire or PC Card you can just hook up a special device that lets you rip the content's of RAM and even modify it, allowing you to bypass the lock screen or even just reset the password in memory.

      The only other viable attack is a cold boot attack, but that can be

  • by maccodemonkey ( 1438585 ) on Tuesday December 23, 2014 @03:04PM (#48662181)

    Firewire, USB 3.0, and Thunderbolt all have DMA, which means any device hooked to a host can pretty much do anything they want to the host, no matter what the host hardware or OS is. I didn't think this sort of thing was still news?

    • by bored ( 40072 )

      I'm pretty sure in the case of USB 3 that DMA is a function of the host controller. A device by itself cannot inject into arbitrary memory. This thunderbolt "vulnerability" is the equivalent of the windows autorun on insertion function that was disabled years ago. Only this functions above the level of the current user (aka much worse).

      • by maccodemonkey ( 1438585 ) on Tuesday December 23, 2014 @03:31PM (#48662393)

        I'm pretty sure in the case of USB 3 that DMA is a function of the host controller. A device by itself cannot inject into arbitrary memory. This thunderbolt "vulnerability" is the equivalent of the windows autorun on insertion function that was disabled years ago. Only this functions above the level of the current user (aka much worse).

        I'm looking up DMA for USB3. Although there are some ways to secure DMA (like a white list of addresses/sizes that are safe to write to), all of the advertised functionality of USB3, such as the sustained data rates, would be very hard to achieve if you didn't have direct access to memory. That's why Firewire ruled for live streaming of data for so long: DMA made it's rates reliable, whereas USB's dependence on the controller and CPU for memory transfers made the throughput more flakey.

        • by maccodemonkey ( 1438585 ) on Tuesday December 23, 2014 @03:46PM (#48662523)

          Well, now I'm reading specs on USB 3.0 controllers. Ugh. There's a lot on mapping a bus address to a memory address for DMA, but nothing addressing the security implications of doing so, or what devices are allowed to do, just broad hints like the buffer has to exist in a DMA-able part of memory without saying if that's a security implication or a hardware implication.

          It would be nice to see a follow up article on if/how USB 3.0 protects against these things, because I'm not a kernel USB developer sort of guy, so while I know DMA is there, I'm not feeling like I'd be able to dissect these implementation specs.

          • by AmiMoJo ( 196126 ) *

            USB 3.0 devices can't read or write arbitrary RAM like Thunderbolt devices can. The host controller (or rather the driver) has to allocate RAM buffers and then program its DMA controller to copy data in or out of it. In theory it might be vulnerable if there are flaws in the driver perhaps, but it would be reliant on specific drivers and host controllers. The vulnerability is designed in to Thunderbolt as a feature.

        • by amorsen ( 7485 )

          40Gbps ethernet cards use DMA securely and offer sustained data rates that USB can only dream of.

        • Although there are some ways to secure DMA (like a white list of addresses/sizes that are safe to write to), all of the advertised functionality of USB3, such as the sustained data rates, would be very hard to achieve if you didn't have direct access to memory

          Sigh. It's almost like slashdot is peopled by people who know fuck-all about computers, such as the existence of the IOMMU [wikipedia.org]. Decent operating systems have support for these [kernel.org]. They completely solve this problem with minimal overhead.

          That's why Firewire ruled for live streaming of data for so long: DMA made it's rates reliable

          Yes, firewire has the same problem, and the same solution.

    • Firewire, USB 3.0, and Thunderbolt all have DMA, which means any device hooked to a host can pretty much do anything they want to the host, no matter what the host hardware or OS is. I didn't think this sort of thing was still news?

      It's news to me that apple still isn't using an IOMMU, I thought that they were supposed to be fixing this problem. Most modern PCs have one.

  • by Anonymous Coward

    Almost as stupid as making PCI-E part of an external bus. The BIOS write protect jumper of old was the right idea.

  • by Anonymous Coward

    A writable ROM are clearly not a ROM

    • Yeah either the article means BIOS or EEPROM, or Apple is clearly doing it wrong. From the article: "Malicious code installed in the MacBook boot ROM will be executed before the OS is loaded..."
  • The attack, dubbed Thunderstrike,

    Tell me. Does it get it's own little theme song performed by AC/DC too?? That would just complete the marketing circle!

  • The USB and Firewire interface on the 10 year old J-Bus (UltraSparc IIIi) had memory management for the I/O interfaces as well as the CPU. The DMA from external interfaces could only access memory granted to it by the OS.
  • by exabrial ( 818005 ) on Tuesday December 23, 2014 @03:47PM (#48662527)
    So if you get hit by this attack, have you been... Thunderstruck?? /me shows self to door
  • "installs malicious code in a MacBook's boot ROM (read-only memory)"

    Nope. It may write to EPROM or something like that but by definition it can not write to ROM. ROM means Read Only Memory and as such there is no writing to it. EPROM or some other flavor of Erasable Programmable Read Only Memory is what it would have to be working with. Too bad writers can't read. Not even their own sentences. Or perhaps they can't comprehend. IM (Incomprehensible Memory) in the case of the OP.

  • by ZorinLynx ( 31751 ) on Tuesday December 23, 2014 @07:23PM (#48664241) Homepage

    With older (PPC?) based Macs, to update the firmware you had to power off the machine, then turn it on by holding the power button until you got an extra beep or sound. This would physically un-write-protect the firmware EPROM so that it could be updated by open firmware.

    In their quest to make everything as "user friendly" as possible, they took out this hardware security feature, allowing the update to just happen without any physical action.

    Bad Apple, no donut.

  • Here's how you do it:
    1. Go to a conference, and allow your dongle to 'accidentally' fall out of your bag onto the floor. Wait for somebody to come and pick it up.
    2. Open up an online shop and sell knock-off dongles at a reduced price
    3. Post an ad on Craigslist selling your 'old' dongle
    4. Go to a conference and swap out the dongle that is there with your dongle

    At $30 a pop people many unwitting Mac users would pick up one of these devices if they were convinced it were impossible to find out the owner. The

  • Can someone explain to me how you can write to Read Only Memory?

  • Find the mistake.

    Vendors are stupid, if they make ROM writable, without setting a jumper. Or making it writable at all.

In order to dial out, it is necessary to broaden one's dimension.

Working...