Attackers might choose to infect a target via a phishing email and malicious site. The malware could “spread automatically from MacBook to MacBook, without the need for them to be networked.” Attackers could remotely target computers, even air-gapped ones, with Thunderstrike 2 as it is designed to spread by infecting the option ROM on peripheral devices. The proof-of-concept malware would “be on the lookout for any peripherals connected to the computer that contain option ROM, such as an Apple Thunderbolt Ethernet adapter, and infect the firmware on those,” explained Wired. “The worm would then spread to any other computer to which the adapter gets connected.”
When another machine is booted with this worm-infected device inserted, the machine firmware loads the option ROM from the infected device, triggering the worm to initiate a process that writes its malicious code to the boot flash firmware on the machine. If a new device is subsequently plugged into the computer and contains option ROM, the worm will write itself to that device as well and use it to spread.One way to randomly infect machines would be to sell infected Ethernet adapters on eBay or infect them in a factory.
A week ago LegbaCore published a “bricking demo” video showing a Mac Mini being rendered unbootable due to vulnerable firmware.
The video description reads:
Apple does not follow Intel's recommended best practices for protecting their firmware. Consequently Macs are vulnerable to being disabled in such a way that they can never be made bootable again either by attempting to boot off external media (like a DVD/USB) and reinstalling the OS, or by changing the entire HD/SSD with a known working one. The only way to recover from such attacks is to reflash the SPI flash chip with a known-clean copy of the firmware. This attack does not require physical presence. It can be launched via a remote connection to the system (e.g. SSH/VNC).
Apple was notified about the flaws, but naturally the vulnerabilities are not discussed within Apple's description of Mac’s Thunderbolt interface andThunderbolt peripherals. Although Apple “partially fixed” a Mac EFI flaw in June, the researchers said other issues they identified are still unpatched. Apple chose not to implement protections against one flaw that would prevent an attacker from updating OS X code.
“[The attack is] really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware,” Kovah said. Re-flashing the chip that contains the firmware is the only way to eliminate Thunderstrike 2 malware embedded in the firmware.
After their presentation, the researchers intend to release some tools that will “allow users to check the option ROM on their devices, but the tools aren’t able to check the boot flash firmware on machines.” The trio will also demonstrated the attack at Def Con on August 8.
0 comments:
Post a Comment