This is the annotated transcript of our DefCon 23/BlackHat 2015 talk, which presented the full details of Thunderstrike 2, the first firmware worm for Apple’s Macs that can spread via both software or Thunderbolt hardware accessories and writes itself to the boot flash on the system’s motherboard. The original slides are available.
While I think it’s unlikely this worm will pose any real threat in the real world, I find it amazing that we’re living in a world where this is possible in the first place.
Hi,
While I think it’s unlikely this worm will pose any real threat in the real world, I find it amazing that we’re living in a world where this is possible in the first place.
I find it amazing that we’re living in a world where incompetent morons expose the PCI-E bus directly to potentially malicious devices so that these devices can do anything they like with no way for firmware or OS to defend against them (beyond using IOMMUs, which Intel doesn’t think most people should be allowed to have unless they pay extra for virtualisation support).
– Brendan
And specially now that they’re trying to actually introduce Thunderbolt to non-Apple hardware, the practice seems extremely moronic.
Fortunately, the latest Skylake-K does have VT-d (almost the first thing I looked up on ark.intel.com after they were officially announced). Hopefully they get a clue and also put VT-d on the cheap/i3 ones.
Thunderstrike 2 was widely publicized on mainstream media as a worm able to infect computers via remote replication.
Now, reading the transcript, this is the only reference to remote replication:
“Now an attacker needs only a remote root shell”
Only needs a remote root shell… it seems like a joke… pure FUD from DefCon/BlackHat. I do not understand how they can be considered serious.
Yeah, some of the shit I’ve seen up to the event reminded me of those 90’s emails about some computer virus that was going to destroy your furniture and kill your cat. And then the reveal happens and it’s like 1/10th what they originally hinted at. Just seems like click bait.
Because it’s not like there’s a privilege escalation vulnerability in the latest, most up-to-date version of OS X.
Oh wait.
http://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-…
“Developers didn’t use standard safeguards involving additions to the OS X dynamic linker dyld, a failure that lets attackers open or create files with root privileges that can reside anywhere in the OS X file system.”
Doesn’t even need the system password. (Yes it’s fixed in 10.10.5 and 10.11 betas, but telling people “run beta software on a production machine” is bad advice, so the most recent publicly available version of OS X still isn’t patched).
Thunderstrike 2 is actually partially patched in 10.10.4, such that it can’t actually (seemingly) be done from software any more.
https://trmm.net/Thunderstrike_2
And, no, very few people in their lives will plug in Thunderbolt adapters during the course of their computer’s life. All it takes is once, though – and business environments which would be highly desirable targets have much higher likelihood of adapters for legacy projectors and hardwired corporate intranets.