Thunderstrike hack – Infecting Apple Mac with EFI Bootkit

Pierluigi Paganini January 05, 2015

A security researcher has presented a technique dubbed Thunderstrike hack to infect Apple’s Mac PCs with with EFI Bootkit through the Thunderbolt port.

Infect Apple Mac PCs exploiting the Thunderbolt port is possible, the security researcher Trammell Hudson has demonstrated how it is possible during  the last edition of the annual Chaos Computer Congress in Hamburg, Germany.

The researcher has demonstrated that it is possible to exploit the port by rewriting the firmware of an Intel Thunderbolt Mac. The hack, called Thunderstrike, exploit a well-known vulnerability in the Thunderbolt Option ROM that was first disclosed in 2012, but that still affects Apple Mac systems. Thunderstrike can infect the Apple

The Thunderstrike hack allows the attacker to infect the Apple Extensible Firmware Interface (EFI) by injecting the malware into the boot ROM of the targeted machine through infected Thunderbolt devices.

thunderstrike hack infecting apple mac with bootkit summary

The Thunderstrike attack is very insidious because victims have no way to detect it, as explained by Trammell Hudson, even if the user completely re-install the OS X the machine will be still infected because the malicious code resides in the system’s own independent ROM.

“How bad could a weaponized version of the Thunderstrike bootkit be? Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords. It can’t be removed by software since it controls the signing keys and update routines. Reinstallation of OS X won’t remove it. Replacing the SSD won’t remove it since there is nothing stored on the drive.” states the official post on the Thunderstrike hack.

thunderstrike hack infecting apple mac with bootkit rom

Hudson also showed that he is also able to replace Apple’s own cryptographic key with a new one, in this way the attacker can maintain a persistent control on the system by avoiding that legitimate firmware updates from being accepted.

There are neither hardware nor software cryptographic checks at boot time of firmware validity, so once the malicious code has been flashed to the ROM, it controls the system from the very first instruction,” Trammell Hudson said. “It could use SMM and other techniques to hide from attempts to detect it.

During its presentation, the expert also explained a technique to allow the bootkit to replicate itself to any connected Thunderbolt device. This infection method makes possible the diffusion of the malicious agent even if the attack targets an air-gapped network.

In addition to writing a custom code to the boot ROM, Hudson’s presentation also notes a method by which the bootkit could replicate itself to any attached Thunderbolt device, giving it the ability to spread across even air-gapped networks.

It is important to highlight that in order to exploit the Thunderstrike hack an attacker must have physical access to the targeted machine.

Apple has already patched part of the vulnerability in the latest Mac mini and on the iMac with 5K Retina Display, the company will soon provide the fix for the remaining products.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Thunderstrike hack, hacking)

[adrotate banner=”12″]

you might also like

leave a comment