ThunderStrike 2: First Firmware Worm to Attack Apple Mac OS X
A new attack against Intel firmware running on the latest Apple Mac computers is set to be unveiled at this week’s Black Hat conference. The research is an extension of the Thunderstrike Mac OS X firware bootkit disclosed earlier this year, that allowed attackers to install an undetectable malicious firmware upgrade that survives reboots and operating system reinstallations.
Thunderstrike 2, as dubbed by security researchers, is different from its predecessor in that an attacker does not require physical access to the Macbook. Allowing the attack to be accomplished remotely and exploits self-replicate via peripherals, researchers said.
The work is a collaboration between security researcher and reverse engineer hobbyist Xeno Kovah and Trammell Hudson. A little over a half-dozen firmware vulnerabilities were reported to Apple a few months ago, leading to the company patching the amass of possibilities available to exploit. However, months later, a few of the vulnerabilities still exist as Apple works to find a resolution.
Kovah and his colleague Corey Kallenberg discovered the vulnerabilities are active in the hardware used by both Apple and Windows machines. Affected Intel models have since been patched for Intel platforms, yet Apple claimed earlier that their firmware was not impacted. All the firmware in question was derived from the same Intel implementation that was vulnerable researchers said.
The two posted a video online debuting their ThunderStrike 2 attack in a live preview video:
Researchers said a successful Thunderstrike 2 attack would be a secondary attack after an attacker already exploited the machine via Java or Flash, as an example. Software-only attacks take advantage of the fact that when a computer is coming out of sleep mode, for a small portion of time Flash is unlocked allowing it possible to write to the firmware. After gaining initial access, it’s about privilege escalation to climb through the system.
As with the first phase of Thunderstrike, this too can be delivered via a Thunderbolt cable into the Macbook. The malware has the ability to infect an Option ROM in the adapter and can spread via computers or if pre-infected Thunderbolt cables are being sold online.
Researchers said in addition to patching this, a few extra patch-types are available, including Boot Guard, which will do a cryptographic check on the firmware to detect if any changes were made before allowing the system to boot. Intel has also included a System Management Mode lockbox that locks the system even when coming out of sleep mode, mitigating any potential software attacks from that standpoint.
Researchers noted none of their mitigation recommendations are foolproof, but they certainly hinder hackers ability. A high-profile hacking group may be able to bypass certain measures depending on the amount of resources available.
Good news though, researchers noted that up-to-date Macbooks are patched at the OS level, but a number of extensions can still be abused to exploit the vulnerability.