Macs vulnerable to same remote firmware exploits as Windows PCs, researchers find

Posted:
in macOS edited August 2015
Macs can still be successfully attacked using some of the same firmware vulnerabilities affecting many Windows PCs, a new proof-of-concept worm is said to demonstrate.




Superficially, the new attack -- dubbed Thunderstrike 2 -- appears similar to the namesake Thunderstrike vulnerability found last year and likely relies on some of the same attack vectors. It was created by security reseachers Trammell Hudson, who first discovered Thunderstrike, and Xeno Kovah, Wired reported on Monday.

Worryingly, the proof-of-concept worm could transfer automatically between two Macs without them being networked. It would escape direction by most scanning software, and even survive reformatting, leaving a "scorched earth" approach -- re-flashing firmware chips -- as the only method of mitigation.

The code is based on research conducted by Kovah's LegbaCore consultancy last year, which discovered possible firmware exploits in PCs by companies like Dell, HP, and Lenovo. Five out of six them are potentially applicable to Macs, Kovah said, because computer makers including Apple tend to rely on the same reference implementations.



Apple has been notified of the gaps and reportedly patched one while partially fixing a second. There is no word on whether those fixes include the changes made in OS X 10.10.2 to address Thunderstrike, or are separate updates.

Thunderstrike 2 targets the option ROM on peripherals like Ethernet adapters and SSDs, and can be spread by connecting an infected device to a Mac. An initial attack could be delivered via an email or malicious website however, and the researchers suggested that computer makers should be cryptographically signing firmware and upgrading their hardware to allow authentication. Write-protect switches might also theoretically improve protection, as could a tool for users to check if firmware has been changed.

The researchers are scheduled to share more details at this year's Black Hat USA security conference on August 6.

Comments

  • Reply 1 of 19
    schlackschlack Posts: 719member
    practically speaking...should we be concerned?
  • Reply 2 of 19
    gatorguygatorguy Posts: 24,153member
    schlack wrote: »
    practically speaking...should we be concerned?
    IMHO it's like a recent vulnerability found on another companies platform. Until the details are announced(the upcoming Blackhat in both cases) it's hard to know just how easy it is to take advantage of. Even then it doesn't mean there's necessarily going to be real-world repercussions. I'd say it's too early to start worrying. Stuff like this comes around a few times a year, but seldom followed up with actual damage reports that amount to much of anything.
  • Reply 3 of 19
    sflocalsflocal Posts: 6,090member

    If it's just like the original Thunderstrike, it requires physical access to the computer as it uses a flaw in the Thunderbolt implementation.  So for just about everyone concerned, it's a non-issue.



    It's great that Apple is taking care of the flaws.  It'll be patched before anything can happen.  Poor PC folks though.  Good luck getting any support for their system.

  • Reply 4 of 19
    gatorguygatorguy Posts: 24,153member
    sflocal wrote: »
    If it's just like the original Thunderstrike, it requires physical access to the computer . . .
    Is it the same thing? Perhaps AI got the story wrong then.

    "An initial attack could be delivered via an email or malicious website however"
  • Reply 5 of 19

    Well yeah... b/c technically speaking, anything that has a user and it connected to the internet is vulnerable. This is no such thing as 100% protection. Thats why I have a job in I.T. 

     

    This isn't really news.

  • Reply 6 of 19
    sflocalsflocal Posts: 6,090member
    Quote:

    Originally Posted by Gatorguy View Post





    Is it the same thing? Perhaps AI got the story wrong then.



    "An initial attack could be delivered via an email or malicious website however"



    I'm confused... yeah, I don't know know.  "Could be spread by email" sounds a little vague to me for some reason.  It either can, or cannot be.  I think the article could be better written.  There's some specifics missing.

  • Reply 7 of 19
    gregqgregq Posts: 62member
    Quote:

    Originally Posted by sflocal View Post

     

    If it's just like the original Thunderstrike, it requires physical access to the computer as it uses a flaw in the Thunderbolt implementation.  So for just about everyone concerned, it's a non-issue.


     

    It's not, remote infection is possible, via website access, email etc.

     

    Seems this is most likely to have been used by our great NSA than anyone else. 

  • Reply 8 of 19

    I wonder how long before we have those notiously insecure IoT devices being used as a router for this sort of attack.

    Infect an IoT device with code to enable it to store and pass on the infection to PC's and Mac's.

     

    The more devices we have connected to our home networks the more vunerable we all become.

     

    No IoT device is coing to be connected to my home network. No Streaming Videos to my smart TV.

    But to be honest how many of the general public will even care if they get infected with sort of bad stuff?

  • Reply 9 of 19
    lkrupplkrupp Posts: 10,557member
    Quote:

    Originally Posted by schlack View Post



    practically speaking...should we be concerned?



    Practically speaking we should not be concerned at all. For years we’ve been treated to these doomsday scenarios by security ‘researchers’ and there is not one scintilla of evidence to suggest that any of this stuff has gained wide spread traction. It comes, people get nervous and wring their hands in anxiety, the security paranoids bloviate that we are all doomed, then it all goes way and nothing comes of it EVER!

     

    Look at the recent explosion of paranoia over the Android ‘Stage Fright’ vulnerability. It was trumpeted that 95% of all Android users were about to get creamed and destroyed in the coming Stage Fright apocalypse. Gone from the headlines totally. Remember the special text message that could ‘crash’ an iPhone leading to execution of malicious code. That lasted about a day or two as my son’s workplace colleagues started sending each other the special text and laughing their asses off. Then it went away and hasn’t been heard of since.

     

    I’m sure the NSA, the CIA, and other ‘agencies’ tuck this stuff away for possible use on a high value target but you sitting your den placing your Amazon order, not important enough to bother with.

  • Reply 10 of 19
    lkrupplkrupp Posts: 10,557member
    Quote:

    Originally Posted by rotateleftbyte View Post

     

    I wonder how long before we have those notiously insecure IoT devices being used as a router for this sort of attack.

    Infect an IoT device with code to enable it to store and pass on the infection to PC's and Mac's.

     

    The more devices we have connected to our home networks the more vunerable we all become.

     

    No IoT device is coing to be connected to my home network. No Streaming Videos to my smart TV.

    But to be honest how many of the general public will even care if they get infected with sort of bad stuff?




    Paranoid nonsense. Vulnerable to what exactly? The neighbor kid hacking the fridge and ordering more pizza? Ha,ha, ha!

  • Reply 11 of 19
    badmonkbadmonk Posts: 1,278member
    Don't use ethernet adaptors or SSDs. Fewer people connect their computers to peripherals these days. Everything in the article is too vague...flash on the other hand...
  • Reply 12 of 19
    ronnoronno Posts: 5member
    *Flabbergastingly insecure*
  • Reply 13 of 19
    bloggerblogbloggerblog Posts: 2,460member
    Quote:

    Originally Posted by sflocal View Post

     

    If it's just like the original Thunderstrike, it requires physical access to the computer as it uses a flaw in the Thunderbolt implementation.  So for just about everyone concerned, it's a non-issue.



    It's great that Apple is taking care of the flaws.  It'll be patched before anything can happen.  Poor PC folks though.  Good luck getting any support for their system.




    Except it's not.

    "This is the second Thunderstrike exploit to target Macs. The first version was fixed with OS X 10.10.2 and required the hacker to have physical access to the computer. This new version is more nefarious because the malware can be delivered via a link." - Engadget

     

    Cheap aftermarket Thunderbolt accessories are especially suspect. For peace of mind, look no further than Apple branded Thunderbolt accessories.

  • Reply 14 of 19
    revenantrevenant Posts: 621member
    For what it is worth, they had more to say about it than AI reports: "Some vendors like Dell and Lenovo have been very active in trying to rapidly remove vulnerabilities from their firmware," Kovah notes. "Most other vendors, including Apple as we are showing here, have not. We use our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security."

    http://www.macrumors.com/2015/08/03/thunderstrike-2-first-mac-firmware-worm/
  • Reply 15 of 19
    ronnoronno Posts: 5member
    *Flabbergastingly Insecure*
  • Reply 16 of 19

    Is there a way to find out if your machine is infected by Thunderstrike 2?

  • Reply 17 of 19
    ronnoronno Posts: 5member
    *Flabbergastingly insecure*
  • Reply 18 of 19
    haggarhaggar Posts: 1,568member

    There used to be a time when applying firmware updates on a Mac required restarting and then holding down the power button until you hear a loud beep.  Why was this changed?

Sign In or Register to comment.