By Paul Mah
A researcher is set to demonstrate a method in which a hacker could use a specially crafted Thunderbolt device to inject a bootkit malware into the EFI ROM of any Mac computer that is equipped with a Thunderbolt port.
In a nutshell, Trammell Hudson took advantage of a flaw in the Thunderbolt Option ROM that was first disclosed in 2012–but which remained patched. What is particularly serious about this proof-of-concept attack is how the malware can survive most legitimate attempts to remove it, and the potential for it to spread by infecting attached Thunderbolt devices.
“It is possible to use a Thunderbolt Option ROM to circumvent the cryptographic signature checks in Apple’s EFI firmware update routines,” wrote Hudson on his blog. “This allows an attacker with physical access to the machine to write untrusted code to the SPI flash ROM on the motherboard and creates a new class of firmware bootkits for the MacBook systems.”
According to Hudson, the proof of concept bootkit also replaces Apple’s public RSA key in the ROM in order thwart software attempts to replace it without the attacker’s private key. This means that traditional strategies, such as a reinstallation of the OS X operating system or even replacing the hard disk, will have no effect on the malware.
“A hardware in-system-programming device is the only way to restore the stock firmware,” explained Hudson. Finally, the ability to infect the Option ROMs of attached Thunderbolt devices meant that copies of the malware could stealthily spread across air-gapped systems without any one realizing it.
Hudson ended his blog by noting that while the Thunderbolt Option ROM vulnerability can be resolved “with a few bytes to the firmware,” that the bigger issue of Apple’s EFI firmware security and how it boots without trusted hardware “is more difficult to fix.”
According to AppleInsider, the demonstration is set to take place next week at the Chaos Communication Congress in Germany on Dec 29.
