Unlike its counterpart, Thunderstrike 1, version 2 of Thunderstrike 2 doesnt require any physical access to your Mac. This is a proof of concept where by using a software exploit the boot flash can be infected. This infects thunderbolt option roms and then the resume script or SMM. What does this mean in the real world. Don;’t randomly click or runanything you arent 100% sure about, but you do that anyway right?
Researchers Trammel Hudson and Xeno Kovah have built a self-replicating Apple firmware malware that can infect peripherals to spread to new computers.
Hudson says while his proof of concept is deliberately noisy, displaying a logo during boot, a real attack could be made surreptitious through virtualisation or system management mode.
“Thunderstrike 2 starts with a local root privilege exploit that can load a kernel module to give it access to raw memory [and] can unlock and rewrite the motherboard boot flash,
Hudson says.
“It can search the PCIe bus and look for removable Thunderbolt devices and write itself into their option ROMs.
Once installed Thunderstrike in the boot flash is “very difficult” to remove because it controls the system from the first executed command. Reinstalling the operating system or even replacing the hard drive will not remove it.
The infection of new Thunderbolt peripheral devices means a potential victim may even re-infect a replacement laptop.
Thunderstrike was revealed January as a then unmitigated attack targeting option ROMs to load malware by replacing RSA keys in Mac extensible firmware interfaces (EFIs).
Apple issued a partial fix in the ensuing OS X patch run blocking it in version 10.10.2. Option ROM updates coupled with Boot Guard mitigations also slow it down for those attackers lacking high levels of resources.
Leave a Reply