Too many of us still have to deal with members of our workforce who hold groundless beliefs about the freedom from risk they enjoy while using their Macs.
Trammell Hudson described his most recent project at the last Chaos Communication Congress in Germany. It is called Thunderstrike and it can infect any modern Mac boot ROM via the Thunderbolt port — ultimately giving the attacker control of the endpoint. This “evil maid” attack gives us all another reason for concern. Anyone with physical access to a worker’s Mac could use this technique (or one of its predecessors) as a foothold into your network, as well as gaining “direct” access into any operations to which that user has been permitted. Traveling executives seem like obvious targets, but virtually any member of the workforce is a candidate.
Mr. Hudson describes the impact of his attack as:
“There are neither hardware nor software cryptographic checks at boot time of firmware validity, so once the malicious code has been flashed to the ROM, it controls the system from the very first instruction. It could use SMM, virtualization and other techniques to hide from attempts to detect it.
Our proof of concept bootkit also replaces Apple’s public RSA key in the ROM and prevents software attempts to replace it that are not signed by the attacker’s private key. Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the hard drive has no effect.”
At a minimum, this should be used as input for traveler’s security awareness training.
It should also be injected into risk analyses of all BYOD scenarios.
“Thunderstrike.” By Trammell Hudson.
“De Mysteriis Dom Jobsivs: Mac EFI Rootkits.” By Snare (Blackhat 2012)
“Apple’s Mac EFI found vulnerable to bootkit attack via rogue Thunderbolt devices.” By Sam Oliver, Dec 22, 2014
“Thunderstrike: The scary vulnerability in your Mac’s Thunderbolt port.” By Christina Warren, Jan 02, 2015
Macs vulnerable to virtually undetectable virus that “can’t be removed” By Adrian Kingsley-Hughes, Jan 12, 2015