Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Apple

First OSX Bootkit Revealed 135

Trailrunner7 writes A vulnerability at the heart of Apple's Mac OS X systems—one thus far only partially addressed by Apple—opens the door to the installation of malicious firmware bootkits that resist cleanup and give hackers persistent, stealthy control over a compromised Mac. The research is the work of a reverse engineering hobbyist and security researcher named Trammel Hudson, who gave a talk at the recent 31C3 event in Hamburg, Germany, during which he described an attack he called Thunderstrike. Thunderstrike is a Mac OS X bootkit delivered either through direct access to the Apple hardware (at the manufacturer or in transport), or via a Thunderbolt-connected peripheral device; the latter attack vector exposes vulnerable systems to Evil Maid attacks, or state-sponsored attacks where laptops are confiscated and examined in airports or border crossings, for example.

Hudson's bootkit takes advantage of a vulnerability in how Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update. In these cases, the flash is left unlocked, allowing an Option ROM, or peripheral firmware, to run during recovery mode boots. It then has to slip past Apple's RSA signature check. Apple stores its public key in the boot ROM and signs firmware updates with its private key. The Option ROM over Thunderbolt circumvents this process and writes its own RSA key so that future updates can only be signed by the attacker's key. The attack also disables the loading of further Option ROMs, closing that window of opportunity.
This discussion has been archived. No new comments can be posted.

First OSX Bootkit Revealed

Comments Filter:
  • by phayes ( 202222 ) on Thursday January 08, 2015 @05:38PM (#48769681) Homepage

    Then so can Apple.

    From their reaction pushing out an automatically installed security patch for the recent NTP vulnerability, I'm hoping that Apple will furnish a patch before this ever becomes more than a Blackhat proof of concept.

    • by c ( 8461 ) <beauregardcp@gmail.com> on Thursday January 08, 2015 @05:52PM (#48769805)

      Then so can Apple.

      More usefully, it sounds like the owner of the machine itself can patch it such that any Option ROMs need to be signed with their own private key rather than Apple's.

      • by _merlin ( 160982 )

        If you stop option ROMs from loading, you can say goodbye to using external SAS adaptors, bootable NICs, etc. It might be OK if all you ever plug in is external displays, but you'd lose all sorts of functionality.

        • by rthille ( 8526 )

          You just stop option ROMs from loading when you're patching the firmware.

        • by sjames ( 1099 )

          The vulnerability only exists when the machine is booting in a special flash mode. Otherwise, the flash chip is locked making writes impossible until a reset happens before the option ROMS get run.

          So only flash mode needs to disable the option ROMs. A normal boot can use them without risk of a re-flash.

        • by c ( 8461 )

          If you stop option ROMs from loading, you can say goodbye to using external ...

          Would it really be so terrible if the owner of the hardware could decide whether or not their device supported that kind of thing, or even which specific things it supported?

    • by rthille ( 8526 )

      Only if they (Apple) patch it before the machine is rooted.

      • by phayes ( 202222 ) on Friday January 09, 2015 @05:28AM (#48773383) Homepage

        If you would take the time to actually read TFA (yeah I know, heresy), you'd know that Apple has already addressed the vulnerability in recent minis & iMacs so the window is already closing.

        Added to that, you need the exploit (which is closely held at present) & physical access to the Mac. This rootkit is extremely unlikely to be a problem for anyone.

        • by rthille ( 8526 )

          I'd actually read the article before it hit slashdot.
          Interestingly, why have they only patched it on recent hardware, when a software update (IIRC) could roll it out to most/all hardware?

  • by mattventura ( 1408229 ) on Thursday January 08, 2015 @05:40PM (#48769703) Homepage
    From what I understand, thunderbolt is essentially an external PCIe interface. That's inherently insecure. It was bad enough that Firewire gave devices DMA access, but with PCIe it will probably be 10x worse.
    • by DaHat ( 247651 )

      Correct... and yes, yes it is: https://www.youtube.com/watch?... [youtube.com]

      At least on a PC (which lacks Thunderbolt), opening the PC is required to exploit that vector... though there are still others... and many of them work without the need for any driver support.

    • From what I understand, thunderbolt is essentially an external PCIe interface. That's inherently insecure. It was bad enough that Firewire gave devices DMA access, but with PCIe it will probably be 10x worse.

      Not bad for a desktop (assuming you don't encrypt your disks either), but a terrible idea on a laptop, and especially if you support encryption out the box. What is the point of encryption when you give even faster access to unencrypted memory with a convinient external port?

      • On a desktop, I don't think it would be a problem. If you had a rather standard encryption scheme where you enter your passphrase on boot, it wouldn't be exploitable because someone would have to shut down the machine, stick a PCIe card in, and then boot again, thus losing the encryption key until it is entered again. It's just that laptops tend to have to have more exploitable interfaces that support hotplugging (like ExpressCard and Thunderbolt) whereas a desktop at most might have Firewire.

        I'm surprise
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      And how is that any different from the PCMCIA / CardBus slots of the past? They were basically direct attachments to the peripheral bus too, but I guess back then nobody cared about these kinds of attacks, and it wasn't predominantly Apple using those expansions.

      • It's no different than doing the exact same thing over Firewire, but it's a lot easier to hide an exploit in plain sight. When you exploit over something like Firewire or Thunderbolt, it could be a simple "Hey, can I charge my iPhone?". I remember an old exploit that you could do using one of the ancient Firewire iPods. That's a lot different than "Hey, can I plug this random card into your computer?" when you want to do it over CardBus or ExpressCard.
      • by sjames ( 1099 )

        It's been done.

        Some machines have a hardware jumper that must be set to allow flashing the BIOS. They all should.

    • by Anonymous Coward

      Apple now uses IOMMU to protect against DMA attacks. With it a Thunderbolt device cannot access memory it hasn't been granted. I believe Microsoft does the same with Window now as well.

  • Turn on FileVault (Score:5, Informative)

    by pushing-robot ( 1037830 ) on Thursday January 08, 2015 @05:49PM (#48769781)

    FileVault 2 disables DMA over FireWire/Thunderbolt when no user is logged in or the machine is locked.

    If you want an extra layer of security, execute this command:

    sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25

    ...and your Mac will erase its decryption key from RAM every time it goes to sleep.

    • by DaHat ( 247651 )

      Is FileVault 2 enabled out of the box? If not... it's too late for most users.

      • As noted it's as simple as enabling it.

        Most users will not, but then most also do not need to worry about someone physically capturing the system and installing malware then returning it...

        • As noted it's as simple as enabling it.

          How does filevault protect you from this? Filevault is fine once the OS is loaded but this attack occurs long before that.

          • FileVault adds a bunch of secondary behaviors not related to the system drive. The advertised feature is system drive encryption, but it's effectively a "paranoia" mode for Macs.

            When you're running FileVault, if no one is logged in, the machine will refuse to communicate with ANY attached external device, over thunderbolt or USB or anything else, but for one "main" display and the keyboard and mouse. Also the machine shuts itself down if it's left unattended with no one logged in for more than a few minute

            • When you're running FileVault, if no one is logged in, the machine will refuse to communicate with ANY attached external device, over thunderbolt or USB or anything else, but for one "main" display and the keyboard and mouse.

              No, this attack happens before FileVault starts running.

              • If you turn on FileVault 2, the power-on and boot behavior of the system is also changed. External USB and Thunderbolt devices aren't mapped into the system until a valid user logs in. When the Mac boots to the login screen, only the keyboard, mouse, and the "main" display ports work; plugging stuff into the USB ports on the grey login screen doesn't work, they don't light up, the system doesn't access them, try it some time!

                So, if a stranger has physical access to your machine, they won't be able to get

                • If you turn on FileVault 2, the power-on and boot behavior of the system is also changed.

                  Ok, I haven't been able to find the information on that, but what I did see is that performance degradation is in the 20-30% range, which would dissuade most people from using it.

                  If you install a hacked Thunderbolt adapter and let it be connected during a firmware update, while you're logged in, you're screwed.

                  Yeah i'd imagine that would be a fairly easy thing to do, swap out a legitimate one for a hacked one, users would be wary about plugging in USB sticks but probably not so much about port adapters.

      • During the Mac OOBE it prompts you to turn it on.

        And if you *don't* encrypt your hard drive or set a firmware password, it's not like anyone with physical access needs a fancy thunderbolt bootkit to compromise your PC.

    • by vux984 ( 928602 )

      And what about when the machine is unlocked?

      • Then the attacker types cp -R / /Volumes/NSA\ Data\ VacuumTM/

    • Re:Turn on FileVault (Score:5, Interesting)

      by pushing-robot ( 1037830 ) on Thursday January 08, 2015 @06:34PM (#48770059)

      Sorry to reply to myself, but after reading the full details on this vulnerability it's not like the previous Thunderbolt exploits I've seen, and my prior advice may not be sufficient protection.

      It uses a string of vulnerabilities to flash itself into the firmware using Diagnostic Mode, which exists outside the protection of FileVault. To fully secure yourself you probably need to set a firmware password... not as easy as turning on FileVault, but it should only take a couple minutes on a modern Mac: instructions [tutsplus.com]

      Hopefully Apple will take steps to close the vulnerabilities but it's not likely to affect many people; it requires prolonged physical access to the machine, multiple reboots and connection of hardware, and finally the cooperation of the user (logging in again) for the attacker to steal any useful information. Virtually any machine could be compromised under the same circumstances.

      • by bugnuts ( 94678 )

        One of the big issues is recently "I'm going to scan your computer" stops at the border.

        They can simply attached a thunderbolt drive and completely own your computer and there's not a thing you can do.

    • Thank god I enabled FileVault on my shiny new MBP the day I got it. I'll research your recommended CLI command -- but from what I can make of it, it looks good.
    • by AHuxley ( 892839 )
      Once control over a computer is lost, any actions during daily use can be networked.
      The users computer loads some extra new software and is now more networked. A wide open path with access to load and then update any software.
      Any use of any data stored or encrypted is then opened to any new logging or spyware installed as the user would do during normal use. New logging or spyware installed with the same everyday accounts and applications in use. Antivirus or an outgoing software firewall would just be
  • I know it's dangerous to base opinions on summaries, but the summary says "during recovery mode boots". So, at least it doesn't seem to be as bad as autorunning files on a usb stick, which used to be pretty common.

    It is certainly a serious vulnerability, but considering the number of times I've done a recovery mode boot, I'm not overly concerned about it.

    • One early attack on Macs (back in the days of MacOS 6 or 7 or so), included having a WDEF trojan on a floppy disk. Insert it into the machine, the OS draws the window to show the disk, looks for WDEF resources in the usual order, finds the WDEF on the floppy, and executes the arbitrary code contained in that WDEF resource to draw the window (and do anything else that was in the WDEF). The original WDEF virus was actually pretty harmless on the OS it was developed on, but had bad effects with later OSes.

  • Looks like it's better to call it limpware if it's so soft and easy to reprogram.

    • So you're asking for "resoluteware?"

      • I was always wondering what happened to good old fashion ROM in a socket. If you want an upgrade, a chip can be FedExed* to you

        *Google isn't the only word to be 'verb-alized'

        • by Jeremi ( 14640 )

          I was always wondering what happened to good old fashion ROM in a socket. If you want an upgrade, a chip can be FedExed* to you

          Upgrading that way is a little bit more difficult now that Apple glues their computer cases together. :^P

        • by kybred ( 795293 )

          I was always wondering what happened to good old fashion ROM in a socket. If you want an upgrade, a chip can be FedExed* to you

          *Google isn't the only word to be 'verb-alized'

          Any noun can be verbed. :-)

      • he's asking for turgidware

  • I modified the boot.efi to allow my old mac pro 2,1 to run Mavericks. I'm glad I never upgraded. My old mac with 32gb of ram is plenty fast enough.. make -j 20... all I have to say is wow this baby can compile code fast. I also have an NVIDIA GTX 560 graphics card and a vintage GT120 for boot selection. I picked another mac pro 8 core 2,1 on ebay and built up a 32gb8 core Linux beast running linux on bare mac metal. Now that I see thunderbolt is full of security holes I bet the next generation if
  • ... that involve me turning around for up to 30 seconds. It's cute. The lesson here is, if you let your machine out of your sight for a while, don't be surprised if it comes back rooted. Isn't rule #1 of computer security always "If you don't have physical security, you don't have security"?

    What exactly is the vector here? Give someone a thunderbolt hard drive and hope they plug it in and hope they run a firmware update while the drive is connected? Oh no, this could affect potentially dozens of people per

    • by Sez Zero ( 586611 ) on Thursday January 08, 2015 @09:11PM (#48771195) Journal
      We have several new Mac laptops at work. They don't have an Ethernet port, so all of them are connected via Thunderbolt to Ethernet adapters. All the time. It seems like Ethernet or DVI adapters would be a great vector for this attack.
    • by Shados ( 741919 )

      Ever worked in an office, and one day someone reports their expensive headphones got stolen by the cleaning staff? Then _IF_ you are lucky, someone looked at the security tapes and found them out? Usually the camera's not pointing in that direction though...

      Now, thats easy to see on camera, someone running away with something big. Someone clipping a tiny little device to a lap-top thats barely in sight, while cleaning? Even rewatching the security tape 10x, you may not notice it. You also may not realize th

      • If the building has security insufficient to catch somebody stealing my headphones, it's insufficient to keep their computers secure. Companies set their own levels of security, and frequently just trust the cleaning staff or plant-watering service or whatever.

    • My kid does magic tricks... that involve me turning around for up to 30 seconds. It's cute. The lesson here is, if you let your machine out of your sight for a while, don't be surprised if it comes back rooted. Isn't rule #1 of computer security always "If you don't have physical security, you don't have security"?

      It's not that simple. There's multiple aspects in physical security too.

      I bet that if your operating system was password-locked, it would take more than 30 seconds for your kid to mess with the data.

      Because if this was a company, that extra time would also have given the security guards more time to arrive at the scene.

  • The firmware has always been a possible vector for infecting a computer with malware, and we know the NSA has done it for years. This OS X bootkit shows one method of getting the malware into the firmware. I'm sure on many PCs the NSA could just flash a new BIOS, probably with the full support and help of the firmware manufacturers.

    It surprised me to learn that laptops from popular manufacturers like Lenovo ship with a piece of BIOS-based malware called Lojack. Used as a method of theft prevention, once a

    • It surprised me to learn that laptops from popular manufacturers like Lenovo ship with a piece of BIOS-based malware called Lojack. Used as a method of theft prevention, once activated it can infect a fresh install of Windows with tracking software.

      Even if it performs "sneaky stuff" I wouldn't call it malware as it is designed to help the real owner of the laptop in case of theft.

  • As they don't usually have Thunderbolt, or if they do they boot differently.

Avoid strange women and temporary variables.

Working...