A vulnerability at the heart of Apple’s Mac OS X systems—one thus far only partially addressed by Apple—opens the door to the installation of malicious firmware bootkits that resist cleanup and give hackers persistent, stealthy control over a compromised Mac.
The research is the work of a reverse engineering hobbyist and security researcher named Trammel Hudson, who gave a talk at the recent 31C3 event in Hamburg, Germany, during which he described an attack he called Thunderstrike. Thunderstrike is a Mac OS X bootkit delivered either through direct access to the Apple hardware (at the manufacturer or in transport), or via a Thunderbolt-connected peripheral device; the latter attack vector exposes vulnerable systems to Evil Maid attacks, or state-sponsored attacks where laptops are confiscated and examined in airports or border crossings, for example.
The end result is the installation of malicious firmware on an Apple machine that would survive reinstallation of OS X or replacement of the Solid State Drive (SSD). Thunderstrike is undetectable, Hudson said, and can be used for root access to an infected computer, putting all of its data and web traffic at risk for interception and monitoring.
Hudson began a dialogue with Apple about his findings in 2013 and Apple has addressed the issue with updated firmware shipping in MacMinis and iMac Retina computers. Macbooks, however, remain vulnerable because they are subject to downgrade attacks where an attacker could force older firmware vulnerable to this attack to run Thunderstrike, he said.
Thunderstrike’s persistence, unlike other bootkits that would be wiped upon a re-installation of the operating system, for example, is due to its ability to write to the flash ROM on the motherboard, meaning that there’s nothing a software refresh would do to wipe it.
Hudson’s bootkit takes advantage of a vulnerability in how Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update. In these cases, the flash is left unlocked, allowing an Option ROM, or peripheral firmware, to run during recovery mode boots. It then has to slip past Apple’s RSA signature check. Apple stores its public key in the boot ROM and signs firmware updates with its private key. The Option ROM over Thunderbolt circumvents this process and writes its own RSA key so that future updates can only be signed by the attacker’s key. The attack also disables the loading of further Option ROMs, closing that window of opportunity. A weaponized version of this attack would have free ring0 reign over the system.
Thunderstrike can’t be removed by software since it controls the signing keys and update routines
Tweet
Hudson said this the first OS X firmware bootkit he is aware of.
“Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords,” Hudson said. “It can’t be removed by software since it controls the signing keys and update routines. Reinstallation of OS X won’t remove it. Replacing the SSD won’t remove it since there is nothing stored on the drive.”
Hudson said the possibility exists that Thunderstrike attacks could also eventually be done remotely given the Dark Jedi Coma research presented at 31C3 by Corey Kallenberg and Rafal Wojtczuk. Their talk exposed vulnerabilities in UEFI—the replacement for BIOS—and System Management Mode, a privileged execution mode on Intel machines. The vulnerabilities uncovered by Kallenberg and Wojtczuk allow an attacker to re-flash firmware and run their own malicious firmware. The Department of Homeland Security this week issued an advisory about these vulnerabilities