Thunderstrike 2 OS X Firmware Attack Self-Replicates to Peripherals

At Black Hat, researchers are expected to disclose new firmware attacks that work against OS X and self replicated to Thunderbolt peripherals.

A new attack against Intel firmware running in Apple computers is expected to be unveiled at this week’s Black Hat conference. The research is an extension of the Thunderstrike Mac OS X firmware bootkit disclosed this spring that enables the undetectable installation of malicious firmware that survives reboots and operating system reinstallations.

Thunderstrike 2 is different from its predecessor in that an attacker would not require physical access to a Macbook; this attack can be accomplished remotely and exploits self-replicate via peripherals, researchers said.

The work is a collaboration between reverse engineering hobbyist and security researcher Trammell Hudson and Xeno Kovah of Legbacore. There are a half-dozen firmware vulnerabilities at risk for exploit that have been disclosed months ago to Apple. Apple has patched some of the issues, but others remain and the two sides are still working on a resolution.

The firmware vulnerabilities discovered by Kovah and his colleague Corey Kallenberg live in hardware used in both the Windows and Apple platforms. The catch is that the flaws have been patched on the reference implementation for UEFI on other Intel platforms. In the case of Apple, the company has said in the past its firmware was not impacted; all the firmware in question, however, is derived from the same Intel reference implementation, the researchers said.

Firmware attacks are exceptionally complex to pull off, requiring expertise and financial resources to execute. In Februrary, researchers at Kaspersky Lab disclosed a firmware attack developed and executed by a nation-state actor known as the Equation Group. Among its many capabilities was a hardware module called nls_933w.dll that researchers called the “ultimate persistence mechanism,” one that reserved only the highest-valued targets and one that required access to proprietary documentation for a number of hardware vendors to understand how each of the respective firmware operates.

The end result gives a determined hacker indiscriminate root-level access to a computer and the ability to add additional attacks in order to steal data and move quietly at will about the machine.

The researchers said a Thunderstrike 2 attack would be a secondary attack and carried out once an attacker is already on a machine via a Flash or Java exploit, for example. Other attacks including the so-called Rootpipe backdoor, or dylib hijacking attacks such as those developed by researcher Patrick Wardle, are also a vehicle for exploit against these vulnerabilities, the researchers said. Software-only attacks take advantage of the fact that coming out of sleep mode, there is a fraction of a second when flash is unlocked and it’s possible to write to the firmware. From there, it’s a matter of escalating privileges: getting code on the machine; getting additional code to run as root and then to run in the firmware for the ultimate privilege and persistence.

As with the first iteration of Thunderstrike, this one too can be delivered via a Thunderbolt adapter. The malware can infect an Option ROM on the adapter and spread via computers if the peripheral is shared between users, or if Thunderbolt adapters that are already infected are sold online.

The researchers said that in addition to patching, there are mitigations available in the hardware platform that would help, including the availability of write-protect bits. The researcher said these bits are enabled in newer versions of Intel’s EFI firmware, for example. Other hardware mitigations include Boot Guard, which does cryptographic checks on the firmware to detect if any changes have been made before it’s allowed to boot. Intel has also added a System Management Mode lockbox that locks the system down coming out of sleep mode, denying a software attack.

A newer version of EFI, the researchers said, requires Option ROMs on peripherals be signed and verified before being allowed to run, cutting off that attack vector. The researchers point out that none of these mitigations are foolproof, but certainly slow attackers down. Well-resourced attackers, such as Equation with access to manufacturer signatures would negate those measures, for example.

The researchers said that Macbooks that are up to patch and OS levels are protected, but there are some extensions that can be abused that would allow these attacks to succeed.

Suggested articles