- Apr 25, 2013
- 5,355
A new malware called Thunderstrike has been successfully demonstrated to invade Apple's MacBook series of laptops and remain virtually undetectable within the system, and resistant to removal even post a replacement of the hard disk.
Thunderstrike was demonstrated by US-based online security expert Trammell Hudson, during the recently concluded Chaos Computer Congress (CCC) in Germany.
According to Hudson, Thunderstrike cannot be detected/eliminated by any of the currently existing computer security solutions, and could therefore allow cyber-criminals to obtain access to confidential user data.
Thunderstrike
Trammell Hudson, details his findings in a research paper called Thunderstrike 31C3, and describes the methodology using which the undetectable virus enters and resides within host MacBook computers.
The malicious threat can reside within the computer's ROM, unlike the conventional threats that are present within the hard disk of the computer.
This property makes Thunderstrike undetectable by conventional anti-virus/anti-malware software tools.
The process wherein the malicious code resides within the ROM and executes attack, is termed as Bootkit attack, and lets hackers control the entire host machine and execute varied cyber-attacks.
"For an attacker with sufficient Option ROM space, the job is done: put your payload in the device's ROM, pass a pointer to it to process firmware volume and it will be flashed for you," states Trammell Hudson, in his research paper.
"Option ROMs can circumvent flash security by triggering recovery mode boots with signed firmware and causing the untrusted code to be written to the ROM. And the attacker now controls the signing keys on future firmware updates, preventing any software attempts to remove them," adds Hudson.
However, according to previous research, once the ROM within Apple laptops are rewritten, it could render the machine completely useless due to the inbuilt security mechanics that detect and prevent any overwriting of ROM.
But, Hudson was able to bypass the inherent security mechanism and manually embed new codes within the ROM.
"In actuality, any software-only validation is doomed to fail since if an attacker can get code into the ROM, they can just skip that software validation."
Thunderbolt port in Apple laptops can be manipulated
Apart from manually overwriting the systems ROM, Thunderstrike was also demoed (by Hudson) to get into the computer by exploiting the Thunderbolt port.
"Since it is the first OS X firmware Bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords."
It was also found that hackers could simply interface devices (infected) supported by the Thunderbolt port, to the computer, and could even bypass firmware passwords via their malicious code.
Here are some ways Thunderstrike could infect Apple laptops
Trammell Hudson states that users' laptops are most susceptible to Thunderstrike, when left alone during custom/security checks that take place while crossing borders.
"One way that a weaponized version of Thunderstrike could be installed is through something like NSA TAO-style operations. They could intercept hardware in shipment and replace it with ones with modified ROMs," warns Hudosn.
"Given a few minutes alone with your laptop, Thunderstrike allows the boot ROM firmware to be replaced, regardless of firmware passwords or disk encryption. So while you are getting breakfast at the hotel during a conference and leave the machine in your room and house-cleaning comes by to make up the bed, install the firmware backdoors, and replace the towels."
The researcher also states that computers before the Thunderbolt era are not vulnerable to Thunderstrike.
Prevention of Thuderstrike
Hudson states that Apple has a temporary fix ready, and the software has also apparently started shipping with newer Mac Mini and iMac retina variants.
Apple is also expected to release this 'partial fix' to older MacBooks, as a firmware update at the earliest.
In summary, Thunderstrike, is believed by Trammell Hudson, to spread virally through shared Thunderbolt devices and infect new ones that it encounters.
The threat is also believed to potentially infect all current MacBooks with Thunderbolt; and with minor modifications it could affect Mac Minis and iMac Retinas with Apple's fixed firmware.
Thunderstrike was demonstrated by US-based online security expert Trammell Hudson, during the recently concluded Chaos Computer Congress (CCC) in Germany.
According to Hudson, Thunderstrike cannot be detected/eliminated by any of the currently existing computer security solutions, and could therefore allow cyber-criminals to obtain access to confidential user data.
Thunderstrike
Trammell Hudson, details his findings in a research paper called Thunderstrike 31C3, and describes the methodology using which the undetectable virus enters and resides within host MacBook computers.
The malicious threat can reside within the computer's ROM, unlike the conventional threats that are present within the hard disk of the computer.
This property makes Thunderstrike undetectable by conventional anti-virus/anti-malware software tools.
The process wherein the malicious code resides within the ROM and executes attack, is termed as Bootkit attack, and lets hackers control the entire host machine and execute varied cyber-attacks.
"For an attacker with sufficient Option ROM space, the job is done: put your payload in the device's ROM, pass a pointer to it to process firmware volume and it will be flashed for you," states Trammell Hudson, in his research paper.
"Option ROMs can circumvent flash security by triggering recovery mode boots with signed firmware and causing the untrusted code to be written to the ROM. And the attacker now controls the signing keys on future firmware updates, preventing any software attempts to remove them," adds Hudson.
However, according to previous research, once the ROM within Apple laptops are rewritten, it could render the machine completely useless due to the inbuilt security mechanics that detect and prevent any overwriting of ROM.
But, Hudson was able to bypass the inherent security mechanism and manually embed new codes within the ROM.
"In actuality, any software-only validation is doomed to fail since if an attacker can get code into the ROM, they can just skip that software validation."
Thunderbolt port in Apple laptops can be manipulated
Apart from manually overwriting the systems ROM, Thunderstrike was also demoed (by Hudson) to get into the computer by exploiting the Thunderbolt port.
"Since it is the first OS X firmware Bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords."
It was also found that hackers could simply interface devices (infected) supported by the Thunderbolt port, to the computer, and could even bypass firmware passwords via their malicious code.
Here are some ways Thunderstrike could infect Apple laptops
Trammell Hudson states that users' laptops are most susceptible to Thunderstrike, when left alone during custom/security checks that take place while crossing borders.
"One way that a weaponized version of Thunderstrike could be installed is through something like NSA TAO-style operations. They could intercept hardware in shipment and replace it with ones with modified ROMs," warns Hudosn.
"Given a few minutes alone with your laptop, Thunderstrike allows the boot ROM firmware to be replaced, regardless of firmware passwords or disk encryption. So while you are getting breakfast at the hotel during a conference and leave the machine in your room and house-cleaning comes by to make up the bed, install the firmware backdoors, and replace the towels."
The researcher also states that computers before the Thunderbolt era are not vulnerable to Thunderstrike.
Prevention of Thuderstrike
Hudson states that Apple has a temporary fix ready, and the software has also apparently started shipping with newer Mac Mini and iMac retina variants.
Apple is also expected to release this 'partial fix' to older MacBooks, as a firmware update at the earliest.
In summary, Thunderstrike, is believed by Trammell Hudson, to spread virally through shared Thunderbolt devices and infect new ones that it encounters.
The threat is also believed to potentially infect all current MacBooks with Thunderbolt; and with minor modifications it could affect Mac Minis and iMac Retinas with Apple's fixed firmware.
