Researchers Create Mac "Firmworm" That Spreads Via Thunderbolt Ethernet Adapters 119
BIOS4breakfast writes: Wired reports that later this week at BlackHat and Defcon, Trammell Hudson will show the Thunderstrike 2 update to his Thunderstrike attack on Mac firmware (previously covered on Slashdot). Trammell teamed up with Xeno Kovah and Corey Kallenberg from LegbaCore, who have previously shown numerous exploits for PC firmware. They found multiple vulnerabilities that were already publicly disclosed were still present in Mac firmware. This allows a remote attacker to break into the Mac over the network, and infect its firmware. The infected firmware can then infect Apple Thunderbolt to Ethernet adapters' PCI Option ROM. And then those adapters can infect the firmware of any Mac they are plugged into — hence creating the self-propagating Thunderstrike 2 "firmworm." Unlike worms like Stuxnet, it never exists on the filesystem, it only ever lives in firmware (which no one ever checks.) A video showing the proof of concept attack is posted on YouTube.
Maybe someday (Score:2)
They will make a chip that can only be written to one time. They can call it, "read only". What a concept!
Re:Maybe someday (Score:4, Insightful)
Re:Maybe someday (Score:5, Informative)
I vaguely remember the day when chips were socketed, exactly for that inevitability. Updates are more expensive that way, but it all depends on how secure you want to be. Remote updates will never, ever be secure. It is nothing but a perpetual cat and mouse game.
Re: (Score:2)
I prefer flash memory chips that can be updated. If the manufacturer has to send everyone a new ROM chip, and for most of their customers also fit it for them for free, they are unlikely to fix any bugs they discover. With flash chips at least there is a chance they might patch any security holes.
Re:Maybe someday (Score:5, Insightful)
I like the flash chip with a hardware switch/jumper to enable writing to it. You've got the hardware read only protection but you can update it without replacing anything socketed.
Re:Maybe someday (Score:5, Informative)
I like the flash chip with a hardware switch/jumper to enable writing to it. You've got the hardware read only protection but you can update it without replacing anything socketed.
Correct...except I think it needs to be clarified that the jumper or switch is actually a physical cutoff that would prevent flashing. You need to make this distinction, because I'm pretty sure I've seen hardware jumpers that just toggle a bit in the bios/firmware config, thus telling the bios whether or not to allow it, and if the bios/firmware is hacked, the physical jumper is not actually a physical obstacle.
Re: (Score:2, Interesting)
It used to be that every computer had one of these DIP switches on the motherboard. Need to flash the BIOS? Flip the switch physically, boot the machine to the MS-DOS floppy, let it do its reads/writes/verifies, then flip the DIP switch back.
I'm pretty sure it was cost that did away with that physical safeguard, replacing it a signature algorithm. I first saw this in the mid 1990s where one major brand of computers has a "password" in the BIOS flash mechanism, that if it wasn't part of the upload, the ma
Re: (Score:3)
Re: (Score:3)
Re: (Score:2, Interesting)
I prefer a slightly simpler approach—give the chip a command whose sole purpose is to prevent future firmware updates. During normal driver initialization, set the flag. When you power off the computer, the flag gets cleared. Any update to the firmware requires you to install the new firmware in a particular location on disk, where the driver can wait to set the flag, then verify the firmware signature (with access to a full security stack, Internet access for pulling down CRLs, etc.) before instal
Re: (Score:3)
I'm reminded of the "frozen" state with hard drives where the only time one can set or erase a password with them is just after boot, and before the OS loads.
Maybe this should be passed to other devices as well? UEFI or the BIOS passes the same "freeze" command to all devices on the machine, which makes them ignore any requests for firmware updates until the machine is powered off. This way, upgrades are doable, but it takes the user doing something specific to do them.
As an added bonus, the upgrades woul
Re: (Score:2)
Many flash chips already have that but too many firmwares don't use it.
Re: (Score:3)
Pull Write Enable line to ground and the best hackers in the world cant change anything on the chip.
Re: (Score:2)
Unless it's active low, then tie it to V+ rail.
Re: (Score:2)
For historical and practical reasons these signals are usually active low.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Interesting)
There don't need to be security updates to the firmware. The ROM firmware only needs to do just enough to receive the operational firmware. All these devices run the firmware from RAM anyway. The device can provide that firmware to the host from flash memory, but should not load and start it on its own. This way the host is always in control of the firmware and can make sure that the firmware has not been tampered with.
Re: (Score:2)
Dont need to be. All they need to do is add a very small switch. you are updating the firmware? flip the physical switch.
Lessthan $0.10 in electronic parts to make something hackerproof.
Re: (Score:3)
Re: (Score:2)
If the chips are read only they would not be able to receive security updates (not that manufacturers issue ROM updates most of the time...). It would be a mess the first time a firmware security hole was found that couldn't be patched.
Nor could well liked features be removed so that they could be charged for... Or the code changed to make third party cables incompatible.
I mean think of the lost profits.
Re: (Score:2)
Re: (Score:2)
Better yet, jumper the write enable line and default it to off.
News at 11 : The most secure OS ever is now here (Score:1)
P.S. I know that this is a firmware exploit but just for marketing sakes
Re: (Score:2)
I'm running Windows 10 on a MacMini so this exploit could affect Windows 10.
(Actually, triple-boots OS X, Win 10, and Ubuntu Not Ten.)
Obligatory (Score:1)
This is why I use a Mac - we are immune to these things that plague PC users. I'd much rather pay a little bit more for security and simplicity than take the "you're-on-your-own" approach we get on other OS's.
Wait, what? Oh.
Re: (Score:1)
Mac OS's don't get viruses. The firmware is something different, and besides its a worm not a virus.
Re: (Score:3)
Worms are basically a subset of viruses. They are self-replicating malware, just like typical viruses, but don't rely on a human action, such as installation of an infected application.
Assuming that your post wasn't intended as a joke (the dubious claim of viral invulnerability leads me to think it was a joke), how exactly is vulnerability to something like the worm mentioned okay to brush off (claiming mis-classification is a tactic to steer conversation away from the subject discussed)?
Re: (Score:3)
Because the worst pieces of software are antivirus programs, but macs are not vulnerable to the types of malware that antivirus software could protect against. Nobody said that macs are immune to viruses, just as they are not immune to water damage, theft or if you throw them off your roof (although there's a cool video on YouTube where a MacBook Air fell out of a two-seater airplane, but was still functional when it was found on the ground).
Re: (Score:3)
Well, duh. Why do you think it's called MacBook Air?
Re: (Score:2, Insightful)
Nobody said that macs are immune to viruses
Plenty of fan boys have, actually (including you, 2 posts up). And Apple certainly tried to make that implication, with lines like "immune to PC viruses [telegraph.co.uk]" in their sales pitches. While it's true that Macs don't execute Windows code (wow, really?), Apple still didn't have a problem with blurring that technical line [howtogeek.com] in their advertisements aimed at non-technical people. The reason why there are so many results for "are Macs immune to viruses", and why it looks like the vast majority of results for "are PCs
Re: (Score:2, Flamebait)
macs are not vulnerable to the types of malware that antivirus software could protect against
So if antivirus software protects against viruses, and you're claiming that Macs are not vulnerable to that type of malware, then aren't you claiming that Macs are immune to viruses?
worms such as the "firm worm" on this post cannot be prevented by antivirus software. so there is a class of malware that is not blocked by antivirus and even though macs are immune to malware that would otherwise be blocked by antivirus they can still be succeptible to this particular class and yet keep the general moniker immune to viruses that antivirus software would block.
Here's a question: if Macs are not vulnerable to viruses, then why are there antivirus programs for Macs?
AV exists for mac becuz windows switchers are stuck on this idea of "needing antivirus" and so shysters have stepped in to provide t
Re: (Score:1)
So you're still holding onto the "Macs are immune to viruses" line, even though you said in the post I quoted that "Nobody said that macs are immune to viruses". But you are, in fact, saying that "Macs are immune to viruses."
macs are immune to malware that would otherwise be blocked by antivirus
So does this mean that:
1) Flashback is not malware
2) Flashback would not be blocked by AV
3) Macs are immune to Flashback
Taking just one recent example, Flashback. We could also include iWorkS, RSPlug, or Leap/Renopo if you want to talk about how those are not malware, or wouldn't be b
Re: (Score:1)
I applaud your ability to parse a complex sentence; I'm sure you are a great lawyer. But the clear answer is, like this "firm worm", flashback could not be blocked by AV. It was blocked by iOS tho. NOT android.
Re: (Score:2)
Are Macs immune to viruses or not?
Re: (Score:2)
Moreover, don't you think it's a fairly serious flaw if Macs cannot detect a trojan being installed? Why exactly are Macs incapable of detecting when Flashback gets installed?
Re: (Score:2)
Moreover, don't you think it's a fairly serious flaw if Macs cannot detect a trojan being installed? Why exactly are Macs incapable of detecting when Flashback gets installed?
Because this is a brand-new Class of malware.
And if you read TFA, you would know that pretty-much all "x86-based" (although that term doesn't mean what it used-to) computers (IOW, pretty much anything that doesn't use ARM) could be attacked in this manner, and in fact, IIRC, the researchers actually demonstrated the same vulnerabilities in those systems as well.
So, just because they decided to declare bragging-rights by targeting Macs first; don't think that this isn't just as dangerous for many other "P
Re: (Score:2)
Because this is a brand-new Class of malware.
What is, Thunderstrike 2 or what I was referring to, Flashback? Because Flashback looks like a trojan installed via a Java flaw.
Re: (Score:3)
Because this is a brand-new Class of malware.
What is, Thunderstrike 2 or what I was referring to, Flashback? Because Flashback looks like a trojan installed via a Java flaw.
Thunderstrike. I was apparently not reading closely.
However, Thunderstrike (and I believe Thunderstrike 2) has already been patched months ago by Apple, in their OS X 10.10.2 Update. Also, apparently Macs sold after mid-2014 are immune.
By the way, there is a far more sinister fact that is completely glossed over here on Slashdot: These same vulnerabilities were first found in the UEFI firmware on "Windows/Linux" PCs. The "researchers" just wanted some notoriety; so, when they found the same vulnerabilit
Re: (Score:2)
You've decided to stop responding to direct questions, I see. I'll just leave some of your quotes from this thread here:
Mac OS's don't get viruses.
macs are immune to malware
Nobody said that macs are immune to viruses
Also, for what it's worth, I'm not a lawyer, I just can't stand unapologetic knob-slobbering fanboy shills.
Re: (Score:2)
frownie face. i feel like you have purposely misunderstood me and then lashed out about it. my position has been consistent and clear.
Macs don't get viruses, compared to antivirus software, except for certain vectors like this bios or rom stuff, and also new ones that pop up from time to time. and when they do get viruses, they are usually patched pretty quickly.
so for the most part, mac users can be worry free about viruses and AV because apple has them covered and some things you just can't prevent? I thi
Re: (Score:2)
Macs don't get viruses, compared to antivirus software, except for certain vectors like this bios or rom stuff, and also new ones that pop up from time to time. and when they do get viruses, they are usually patched pretty quickly.
That's what you call "consistent and clear"?
Macs don't get viruses. Well, they don't get viruses that antivirus software can detect, anyway (this is how I choose to define "virus", because it fits my narrative). Except for various other ways they can get infected. And sometimes there are new ways. But if they DO get infected, then they USUALLY get patched "pretty" quickly. Other than that, they don't get infected though.
OK, clear as mud.
so for the most part, mac users can be worry free about viruses and AV because apple has them covered and some things you just can't prevent? I think this is true not just for viruses but all malware.
Yeah, that's generally pretty true, which is why it's stupid to go
Re: (Score:2)
For my part, I simply choose to not install Java in the first place, it's an infection vector that I don't need.
Ain't nobody got time for that! [youtu.be]
Re: (Score:2)
AV exists for mac becuz windows switchers are stuck on this idea of "needing antivirus" and so shysters have stepped in to provide the product. not to mention all macs come with antivirus supplied by apple.
This; and also because some Mac users that exist in primarily-Windows environments are nice enough to not want to pass-along Windows Viruses to their friends and colleagues.
Viruses and worms on a Mac (Score:2, Insightful)
Re: (Score:2)
Mac's are not really any more secure than any other OS. They do have better security models in the creation of their OS's than say Windows...
You do realize, of course, that the second sentence negates the first.
DMA (Score:1)
This is why externally hot pluggable devices that have an firmware option ROM and/or can DMA anywhere in RAM are a bad idea.
Re: (Score:2)
From a business perspective, only "it runs" is understood. Attempting to explain hidden weaknesses goes completely ignored, because it is not comprehended.
Re: (Score:2)
This is an issue of "won't", or "not worth bothering with" as oppose to "can't". What it boils down to, is the "security has no ROI" philosophy. If a machine gets hacked? The maker can just throw up their hands and said the bad guys would have gotten into it anyway. This seems like how the entire IoT ecosystem is designed
We started down that road in the 1990s, as PCs went from being in physically sturdy, secure, lockable cases with real locks (Medeco, not just those four-pin cylinder keys), to machines
Re: (Score:2)
An external PCIe bus is just a bad idea, like external PCI and ISA buses before it were. PC Card has mostly died now, thankfully. Firewire is pretty much dead on new machines too. Only Macs really seem to go in for Thunderbolt. People are catching on to how bad this sort of thing is for security.
Re: (Score:2)
I have a bunch of PCIe external enclosures stuffed full of GPU cards on the HPC system that I look after. The idea that an external PCIe bus is a bad idea is just ignorant. Obviously the chances of a security compromise on my system from an external PCIe bus is slim to none existent. It's certainly no worse than from having the GPU cards internal to the servers in which they don't fit of course.
Re: (Score:2)
Really I think it depends on the situation.
External PCI based interface in a server rack: fine
External PCI based interface on a laptop as an extra interface: probablly fine in most cases though potential hazard in some environments (e.g. hot desking with hardware that uses the PCI based interface)
External PCI based interface on a laptop as a replacement for standard display and network ports: dangerous
Re: (Score:2, Funny)
"Firmworm" (Score:5, Insightful)
>> "Firmworm"
You did NOT just introduce that to the Internet.
>> Rule 34
Oh yeah...I guess it's the reason we have Internet [youtube.com] in the first place.
Re: (Score:1)
In other words... (Score:2)
FTFA:
An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious web site.
So, in other words, the user has to be a complete moron in order for this attack to work. I know there are still a small percentage of people out there that still click on every email link they get, but I would hope that phishing is a dying art and not much would ever come of this. I know that most of the people I supported would not be this amazingly stupid, nor would many in the entire company. Again, this sort of email attack vector is drilled into the heads of office workers everywhere as something
Re: (Score:1)
Are you being serious right now? I guarantee that I can craft a spoofed e-mail to fool a good 60+% of office workers without trying. And That is being pessimistic on numbers. And, since it only takes one, your entire argument is invalid.
Users are in aggregate stupid. Using keywords and events around them to make a passable phishing is child's play for experienced hackers.
Re: (Score:2)
Are you being serious right now? I guarantee that I can craft a spoofed e-mail to fool a good 60+% of office workers without trying. And That is being pessimistic on numbers. And, since it only takes one, your entire argument is invalid.
Users are in aggregate stupid. Using keywords and events around them to make a passable phishing is child's play for experienced hackers.
My question is: Since OS X Mail.app and Safari (and likely Chrome and FireFox) are Sandboxed, how is this thing getting out to the TB device's Option ROM in the first place?
Seems like a simple OS update will plug this vulnerability.
Re:In other words... (Score:5, Insightful)
So, in other words, the user has to be a complete moron in order for this attack to work.
Human stupidity is the hacker's greatest tool. The entire staff does not have to be stupid, just a few to get things rolling.
Re: In other words... (Score:2, Troll)
strongest attack vector in existence (Score:3)
If you work in an IT capacity, I suggest you rethink architecting your security profile based on trusting users not to click on links sending them to websites hosting malicious exploit code.
You mi
Re: (Score:2)
Any competent Corporate IT already scrubs URL's from all email, it get's quarentined and a tech has to look at the email before the user can get it.
Comcast was doing that back in the early 2005's
Re: (Score:2)
So, in other words, the user has to be a complete moron in order for this attack to work. I know there are still a small percentage of people out there that still click on every email link they get, but I would hope that phishing is a dying art and not much would ever come of this. I know that most of the people I supported would not be this amazingly stupid, nor would many in the entire company. Again, this sort of email attack vector is drilled into the heads of office workers everywhere as something to NOT fall for. The firmware vulnerabilities still need to be addressed, though ongoing training and social engineering will mitigate the possible threat a great deal.
The gullibility of users aside, that is not the bigger threat from such a worm. Sure, you could infect machines in this manner but right now the usual OS specific attacks are easier and more lucrative. However, if yo want to infect a specific target, especially one that is not connected to the broader internet or where you want to infect them and keep the infection unused and unnoticed until the target connects to the desired network, such a tool is useful, a TFA points out. It's of great use to spy agencie
Re: (Score:2)
So basically the target audience for said products?
If anything, people always say their products are for people who don't know what they're doing with tech.
People may say that; but do you really think that the average Windows user is more tech-savvy than the average Mac user?
I work in the Windows-world every day, and have for decades. I can say with authority that there is absolutely no difference between the average Windows user and the average Mac user. Some are very savvy; some are decidedly not. Platform choice simply does not enter into that demographic in any definable manner, period.
And if it ever actually became "The Year of the Linux Desktop", the
So, the actual attack surface is vanishingly small (Score:2)
1. The Macs that use a TB Ethernet adapter. That, my fine readers, is a REALLY small group. Most Macs still have built-in Ethernet connectors, and those that don't are usually connected through WiFi instead of a TB adapter.
2. Those who fall for some unknown social-engineering trap.
That's one sma
Re: (Score:2)
This should work on any thunderbolt device, not just ethernet adapters. DMA for external devices is stupid.
WRONG!!!
Actually, any TB device with an "Option ROM" . Is that all of them? Somehow, I think not, or the Article would have been even more breathless.
In fact, according to TFA, it specifically mentioned External TB SSDs and the TB Ethernet Adapter. Both would be pretty rare in the Mac installed base.
Re: (Score:3)
Re: (Score:2, Insightful)
All current MacBook Pros (for the past few years actually) do not have built-in ethernet but would require either a Thunderbolt or USB adapter.
Also, what about Thunderbolt displays, especially in an office "hotel" situation where one shows up and grabs an empty spot to plug in? This is pretty common enough behavior.
Re: (Score:2)
All current MacBook Pros (for the past few years actually) do not have built-in ethernet but would require either a Thunderbolt or USB adapter.
Also, what about Thunderbolt displays, especially in an office "hotel" situation where one shows up and grabs an empty spot to plug in? This is pretty common enough behavior.
NO Hotel is going to have a Thunderbolt Display. Not even one next door to Moscone Center.
So, no. Not gonna happen.
And besides, it is only certain TB devices (those with an "Option ROM") that are affected; in fact, the only two mentioned in TFA were the TB-Ethernet adaptor and certain External TB SSDs (which are REALLY rare, and wouldn't likely be passed-around anyway).
Re: (Score:1)
2. Those who fall for some unknown social-engineering trap.
Well, that's every Mac user. You bought into the idea that you were buying a lifestyle, but actually you were just buying a PC made by slaves at Foxconn like every other PC.
Re: (Score:2)
2. Those who fall for some unknown social-engineering trap.
Well, that's every Mac user. You bought into the idea that you were buying a lifestyle, but actually you were just buying a PC made by slaves at Foxconn like every other PC.
Actually, I thought I was buying a PC. I don't know what your problem is.
Oh, and nice job of artificially-increasing the attack surface, by ignoring one of the criteria "Must have a TB Ethernet Adapter" (or at least a TB Device with an "Option ROM").
Typical Slashtard. Hate, hate, hate. It's all some people know how to do.
Re: (Score:2)
Most Macs still have built-in Ethernet connectors...
Re: (Score:2)
Most Macs still have built-in Ethernet connectors...
Nice use of the "li" tag. I'll have to remember that.
But, without telling me which version of the Airs, I can't tell you whether they have TB ports. The first-generation Airs only had USB. And I don't know if the new "MacBook" (non-"Pro") qualifies as "vulnerable" either; since (I think) it actually does "TB-Over-USB-C".
And, as I said, MOST of time, Macs without intrinsic Terrestrial Ethernet ports simply use WiFi; and so most of those people don't even know that there is a TB-Ethernet adapter.
And do
Re: (Score:2)
And do you really want to see the list of Macs still being sold and/or still in common use that do have a Terrestrial Ethernet port? I assure you, it is a LOT more models than your measly little list.
Incorrect
Around 2/3 of all Macs sold are the laptops listed above.
Otherwise known as, "the majority of Macs sold."
Re: (Score:2)
And do you really want to see the list of Macs still being sold and/or still in common use that do have a Terrestrial Ethernet port? I assure you, it is a LOT more models than your measly little list.
Incorrect
Around 2/3 of all Macs sold are the laptops listed above.
Otherwise known as, "the majority of Macs sold."
Nice job of ignoring the part of the sentence that doesn't support your argument.
Note that I said "...and/or still in common use". So, in about 5 years or so, a good majority of Macs "still in common use" will not have Terrestrial Ethernet built-in; but for now, that still isn't the case. So, I stand by my original statement. And as I said, I would probably be safe in saying that the majority of Macs without built-in Terrestrial Ethernet are using WiFi instead; which isn't affected by this exploit.
And "
Firmware (Score:1)
Re: (Score:2)
I remember the day when ROM actually meant Read Only Memory.......and why Thunderbolt devices need to be re-writeable "flash" firmware instead of ROM is a mystery to me. I'm not aware of Apple issuing any firmware upgrades to these devices since their inception.
1. The "Option ROM" is a 35-year-old concept that is certainly not unique to Apple, hence the fact that these Vulnerabilities also pertain to Windows/Linux PCs (like the one you are probably using right now). Here is a quick explanation of the original intent behind the "Option ROM". [wikipedia.org]
2. OS X 10.10.2, released in January, 2015, Fixed this vulnerability [intego.com]; so keep your systems Up-To-Date!!!
3. Because of the way that Apple patched this vulnerability, I would expect that Thunderstrike 2 will not infect Macs ru
Thunderbird 2 starts with a local root privilege (Score:2)
'DYLD_PRINT_TO_FILE [imore.com] is a recently-disclosed privilege escalation vulnerability on OS X Yosemite'
Can infect firmware, but still can't netboot? (Score:2)
So we now have an exploit over Thunderbolt, but I still cannot PXE boot the bloody things from a Linux server. Maybe I could, but I still haven't found how, if not using an OS X server. Progress is not going where I would like...
Would someone please publish a hack that lets us easily network boot Macs from Linux servers.
Re: (Score:2)
Is this really /. ? Two extremely useful replies from ACs! Thanks!
Re: (Score:2)
Wink wink, nudge nudge.