“Thunderstrike 2” attacks Apple computers’ firmware

04 Aug 2015

1

A presentation at the Black Hat conference scheduled for later this week would reveal an improved attack on the firmware in Apple computers making them vulnerable to hard-to-detect malware without even being connected to a network.

According to commentators, the new research highlighted ongoing weaknesses in the low-level software every computer runs prior to the loading of an operating system.

Researchers Xeno Kovah and Corey Kallenberg of LegbaCore and Trammell Hudson of Two Sigma Investments showed earlier this year how a Mac's firmware could be infected with malware by connecting malicious devices to them using Thunderbolt, Apple's high-speed data transfer interface.

The attack has been named Thunderstrike.

They would unveil Thunderstrike 2, on Thursday, an attack that improved on the former since it was capable of spreading to other machines through removable peripherals.

Their attack would use a number of vulnerabilities in firmware used by Apple. The company patched several flaws in June, but some remained, according to Hudson's blog.

In theory, malware should not be able to be modified or rewritten, and malware that sat within firmware was especially dangerous since security products do not check firmware and users would therefore not have any idea that it had been tampered with.

Hudson said while his proof of concept was deliberately noisy, displaying a logo during boot, a real attack could be launched surreptitiously through virtualisation or system management mode.

Once installed Thunderstrike in the boot flash, it was"very difficult" to remove as it controlled the system from the first executed command. It was not removable with even reinstallation of the operating system or even with replacing the hard drive.

The infection of new Thunderbolt peripheral devices meant a potential victim might even infect a replacement laptop.

First revealed in January, Thunderstrike targeted option ROMs to load malware by replacing RSA keys in Mac extensible firmware interfaces (EFIs).

A partial fix was issued by Apple in the ensuing OS X patch run blocking it in version 10.10.2. Option ROM updates coupled with Boot Guard mitigations also slowed it down for attackers that lacked high levels of resources.

 

Business History Videos

History of hovercraft Part 3 | Industry study | Business History

History of hovercraft Part 3...

Today I shall talk a bit more about the military plans for ...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of hovercraft Part 2 | Industry study | Business History

History of hovercraft Part 2...

In this episode of our history of hovercraft, we shall exam...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of Hovercraft Part 1 | Industry study | Business History

History of Hovercraft Part 1...

If you’ve been a James Bond movie fan, you may recall seein...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of Trams in India | Industry study | Business History

History of Trams in India | ...

The video I am presenting to you is based on a script writt...

By Aniket Gupta | Presenter: Sheetal Gaikwad

view more
View details about the software product Informachine News Trackers