Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Worms Security Apple Technology

Thunderstrike2 Details Revealed 65

An anonymous reader writes: Prior to DefCon and BlackHat, we learned that Trammell Hudson had developed a firmware worm for Apple machines that could spread over Thunderbolt hardware accessories. Now that both conferences have finished, Hudson has published slides and an annotated transcript detailing how the worm works.

A brief quote: "Thunderstrike 2 takes advantage of four older, previously disclosed vulnerabilities. These had all been known and fixed on other platforms, but not on Apple's MacBooks. ... Speed Racer (Incorrect BIOS_CNTL configuration, 2014, VU#766164), Darth Venamis (S3 boot script injection, 2014, VU#976132) Snorlax (Flash configuration is not set after S3 sleep, 2013 VU#577140) and PrinceHarming (2015) Unsigned Option ROMs (2007, 2012). ... While we're looking at Apple specifically in this research, the overall message is that many vendors are not keeping up to date and are not responding to CERT, especially if it requires effort to port or test vulnerabilities from other vendor platforms."
This discussion has been archived. No new comments can be posted.

Thunderstrike2 Details Revealed

Comments Filter:
  • Apple has released at least 2 Patches to OS X 10.10 (Yosemite), one in January, 2015, and another in June, 2015, to address these issues.

    From what I have learned from the tubes, that leaves what admittedly amounts to a largely theoretical vulnerability, as far as "workable in the field" goes.

    But what I haven't been able to sort out through all the eighth-grader cutesy names, is is this still a REMOTE-ABLE vulnerability, or is it back to the "Evil Maid" scenario only?

    Also, I have heard that Macs built
    • by Dunbal ( 464142 ) *
      I heard the Titanic was "unsinkable". Be careful with words like "invulnerable".
      • I heard the Titanic was "unsinkable". Be careful with words like "invulnerable".

        Point taken; but, in my defense, I think that's what the original article I read said.

    • or is it back to the "Evil Maid" scenario only?

      Always assume the "evil maid" scenario could happen.

      If dropping infected USB sticks into a parking lot and seeing who picks them up and plugs them in works, the "evil maid" is a subset of all things in which you can trick people into plugging in your exploit. Social engineering is a remarkable way around security.

      It also says if you have a portable Thunderbolt device and ever use it anywhere from home, your own stuff could be the 'remote' vector.

      One person's t

      • If dropping infected USB sticks into a parking lot and seeing who picks them up and plugs them in works

        Yeah, I watch Mr. Robot, too...

        Social engineering is a remarkable way around security.

        I love the way most of the hacker movies depict a scenario like in Swordfish, where someone applies mad Developer (hacker) skills to navigate through arrays of 3D cubes representing (what, exactly?), and then breaks into the "Network" using those skill alone. That's why I always like the movie "Sneakers" (despite its depiction of 3D Operating Systems, too), because it depicted that Social Engineering was at the heart of most, if not all, "Cracking".

        But this still doesn't ans

        • by Minupla ( 62455 )

          If dropping infected USB sticks into a parking lot and seeing who picks them up and plugs them in works

          | Yeah, I watch Mr. Robot, too...

          Um, Mr Robot took it from ancient (in internet terms anyways) history:

          Just one random story from 2011:

          http://thenextweb.com/insider/... [thenextweb.com]

          Min

          • Um, Mr Robot took it from ancient (in internet terms anyways) history:

            I just took the most recent reference that popped into my head; but at least whoever writes that show has SOME geek-knowledge. That's still (a lot!) better than most.

            • by Minupla ( 62455 )

              Agreed, actually I respect the show for their research. I may have misinterpreted the tone of your comment, I read it as "this could only happen in a TV show", and was pointing out it has a long history of working in real life. Apologies if I misinterpreted.

              Min

        • Yeah, these kinds of attacks require physical access (either directly or by proxy) to the computer at which point your security is moot. You might as well add-on one of those microcontrollers with a 3G and KVM module because you are using a freaking pci bus.

          It is cute to do this but when you have hardware access, all bets are off and you could write the EFI regardless. Signing firmware for EFI only makes alternative software and homebrew harder (eg SecureBoot tripe) but doesn't make it any harder to hack

          • It is cute to do this but when you have hardware access, all bets are off and you could write the EFI regardless. Signing firmware for EFI only makes alternative software and homebrew harder (eg SecureBoot tripe) but doesn't make it any harder to hack

            You're right. I wonder if that's why Apple didn't run straight toward that obvious solution?

      • Always assume the "evil maid" scenario could happen.

        Colonel Sandurz: It's Mega Maid. She's gone from suck to blow.

    • It's not just a "theoretical vulnerability", since the researchers had a proof of concept that was working at Black Hat a few weeks ago. That said, the latest versions of OS X 10.10 and 10.11 both have patches in place that break the proof of concept, and as I recall, the bug that permitted this in the first place was introduced in 10.10, which means that all vulnerable systems already have a patch available to prevent infection.

      In terms of vectors for infection, it's two-fold:
      1) Navigating to a malicious s

      • It's not just a "theoretical vulnerability", since the researchers had a proof of concept that was working at Black Hat a few weeks ago. That said, the latest versions of OS X 10.10 and 10.11 both have patches in place that break the proof of concept, and as I recall, the bug that permitted this in the first place was introduced in 10.10, which means that all vulnerable systems already have a patch available to prevent infection.

        I didn't catch that this was introduced in 10.10 (Yosemite); so my Mavericks (10.9) and earlier systems are ok then?

        GREAT Update, Anubis!

        Mods: Mod Parent UP, UP, UP!!!

        • I didn't catch that this was introduced in 10.10 (Yosemite); so my Mavericks (10.9) and earlier systems are ok then?

          Assuming my recollection is correct and that I didn't mix up vulnerabilities? Yup, Mavericks is okay.

  • And what do I do to stay unscrewed? a serious question from a Macbooker.

    /I'm expecting much hate but some wisdom embedded in the barbs
    • by Anonymous Coward

      Run for the hills, turn of all your electronics, eat the rich, stop trusting the government, definitely don't trust the corporations.

      Might not help with your computer security, but it's sound advice.

    • Re: (Score:3, Informative)

      First of all, keep an eye on the updates. They should automatically install (or at least warn of their availability) by default. Apple can push out a separate EFI upgrade or it can be be a part of the next big update (10.10.5 for instance, which is imminent). I expect some or all of these to be fixed fairly quickly.

      In the mean time, make sure that you haven’t disabled Gatekeeper (which is on by default). While Gatekeeper can’t defend against infected peripherals you stick in your Thunderbolt por

      • by mlts ( 1038732 )

        All it takes is one ad server where the owners don't care what code some client uploads, and it means massive, almost instantaneous infections. With IP limiting tools, it could be a targeted attack from a direction that is relatively unexpected.

        Next to the excellent suggestions of the parent, I would also recommend 1-2 additions:

        If possible, run your Web browsing as a non-admin user, and switch to the admin user when needed. This adds one additional layer.

        Of course, the best thing is to use some form of v

    • Comment removed based on user account deletion
      • by AmiMoJo ( 196126 )

        Cut the PCB tracks and rewire them to the mains 240/120v input. Anyone who tries to rape your machine will get a nasty surprise and their expensive hardware turned to slag.

        • by Trogre ( 513942 )

          Would that be AC or DC?

          if you can still have a register that detects when such a device is plugged in, you could have the screen flash up with the message:

          "You've been..."

    • And what do I do to stay unscrewed? a serious question from a Macbooker. /I'm expecting much hate but some wisdom embedded in the barbs

      It looks like if you are either:

      1. An owner of a Mac MANUFACTURED after June, 2014; and/or,

      2. Running at least OS X 10.10.4

      You are safe from any REMOTE Thunderstrike(2) Attacks.

      HOWEVER, you STILL have to be vigilant against the "Evil Maid" (someone deliberately sticking an infected Thunderbolt Ethernet Adapter, or an infected Thunderbolt-connected SSD into your computer while you aren't present/looking), and DON'T borrow/lend either of those two classes of Thunderbolt devices to/from ANYONE.

      And y

      • Never let any of those peripherals out of your sight either! Someone could infect them in just a few seconds of inattention.

        • Never let any of those peripherals out of your sight either! Someone could infect them in just a few seconds of inattention.

          No.

          Someone could conceivably REPLACE them with already-infected ones, or use already-infected ones nefariously to infect you, in just a few seconds; BUT I'm pretty sure that no one could infect YOUR TB-Ethernet Adapter in "just a few seconds of inattention." A few MINUTES, sure; but not a few seconds.

          And remember, this still requires essentially physical access to the machine (or at least the peripheral). For now, it looks like, contingent on the conditions of my first post, above, the REMOTE threat is

          • Seconds, since all you need to to to infect a TB-Ethernet adapter is plug it in to something.

            Any thunderbolt device with an Option ROM can be infected in seconds.
            citation [wired.com]

            • Seconds, since all you need to to to infect a TB-Ethernet adapter is plug it in to something.

              Any thunderbolt device with an Option ROM can be infected in seconds. citation [wired.com]

              So you're postulating that, while someone is present, another person can:

              1. Pull out their Ethernet dongle (which presumably has a network cable attached)

              2. Fumble-fuck around, trying to surreptitiously Stick the victim's dongle into a waiting infection-donor (which would likely have to be another laptop, probably a Mac)

              3. Wait (n) seconds for the dongle to enumerate and get the infection uploaded

              4. Pull it back out of the "donor" computer

              5. Fumble-fuck around trying to surreptiously plug it back

              • Yes

                Thanks for adding "Fumble-fuck around", You make it seem like the thunderbolt connector is hard to use. If the device was plugged in to a macbook already, it would be easier to infect the macbook directly.

                Also for your assumption in step two than you'd have to use a laptop. You could use anything you can build a thunderbolt interface on. Like any FPGA with PCI Express interfaces or anything you can connect to a Thunderbolt interface chip, like the Si52131.

                • Yes

                  Thanks for adding "Fumble-fuck around", You make it seem like the thunderbolt connector is hard to use. If the device was plugged in to a macbook already, it would be easier to infect the macbook directly.

                  Also for your assumption in step two than you'd have to use a laptop. You could use anything you can build a thunderbolt interface on. Like any FPGA with PCI Express interfaces or anything you can connect to a Thunderbolt interface chip, like the Si52131.

                  I have a MacBook Pro and routinely use the TB Connector to plug in a DVI monitor adapter. I guarantee you that, under the conditions you describe, most humans would not be able to simply stab the male end into the exact spot on the first try, while trying to also be surreptitious.

                  LOL, you been watching too many spy movies! So you spend several weeks/months Building up and coding/debugging an FPGA and TB chip gadget (and you better hope the protocol isn't too hairy), just so you can infect a few laptops be

                  • If it takes too long for Apple to fix it, people may start making and selling infection devices.
                    They're probably already on the next version of the NSA ANT catalog

                    • If it takes too long for Apple to fix it, people may start making and selling infection devices. They're probably already on the next version of the NSA ANT catalog

                      Too late, and too small a vulnerability (however nasty). I just learned that only one version of OS X is affected (10.10 Yosemite), and, as previously reported, the REMOTE part of the Vulnerability has been patched in 10.10.2 and fortified in 10.10.4. Apparently, the beta builds of 10.11 (El Capitan) are already patched, 'natch.

                      And I am sure Apple is working hard now on closing the "Evil Maid" vulnerability, too.

    • You're fine [tidbits.com], says another researcher who was also presenting at this last Black Hat. Most relevant line:

      Is there anything I need to do?

      No, nearly everyone can ignore Thunderstrike 2 entirely. The research really is excellent, compelling work that the Wired piece unfortunately turned into a bit of a fright-fest.

      Apple exploits tend to be reported in more breathless terms than ones of comparable severity on other platforms (whether that's because tossing "Apple" in a headline makes for a lot of pageviews or because Apple beat reporters tend to be more clueless about malware, I can't say), which can make it hard to tell just how serious they actually are. In this case, both 10.10.4 and the latest betas of 10.11 alr

  • Didn't there used to be a pin setting on the motherboard that prevented writing to the BIOS ..
    • Didn't there used to be a pin setting on the motherboard that prevented writing to the BIOS ..

      With the quickest of google searches I found an ECS mainboard which had one just five years ago, so I suspect some boards still have this.

  • I didn't meant to hurt you. I didn't mean to thunderstrike you.

Avoid strange women and temporary variables.

Working...