1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Bootkit Unleashed First Public Mac OS X

Discussion in 'Mac - General discussion' started by ireland, Jan 8, 2015.

  1. ireland

    ireland Active member

    Joined:
    Nov 28, 2002
    Messages:
    3,720
    Likes Received:
    13
    Trophy Points:
    68
    First OSX Bootkit Revealed


    A vulnerability at the heart of Apple's Mac OS X systems—one thus far only partially addressed by Apple—opens the door to the installation of malicious firmware bootkits that resist cleanup and give hackers persistent, stealthy control over a compromised Mac. The research is the work of a reverse engineering hobbyist and security researcher named Trammel Hudson, who gave a talk at the recent 31C3 event in Hamburg, Germany, during which he described an attack he called Thunderstrike. Thunderstrike is a Mac OS X bootkit delivered either through direct access to the Apple hardware (at the manufacturer or in transport), or via a Thunderbolt-connected peripheral device; the latter attack vector exposes vulnerable systems to Evil Maid attacks, or state-sponsored attacks where laptops are confiscated and examined in airports or border crossings, for example.

    Hudson's bootkit takes advantage of a vulnerability in how Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update. In these cases, the flash is left unlocked, allowing an Option ROM, or peripheral firmware, to run during recovery mode boots. It then has to slip past Apple's RSA signature check. Apple stores its public key in the boot ROM and signs firmware updates with its private key. The Option ROM over Thunderbolt circumvents this process and writes its own RSA key so that future updates can only be signed by the attacker's key. The attack also disables the loading of further Option ROMs, closing that window of opportunity.


    http://apple.slashdot.org/story/15/...utm_source=rss1.0mainlinkanon&utm_medium=feed

    ==================================================================================

    First Public Mac OS X Firmware Bootkit Unleashed





    A vulnerability at the heart of Apple’s Mac OS X systems—one thus far only partially addressed by Apple—opens the door to the installation of malicious firmware bootkits that resist cleanup and give hackers persistent, stealthy control over a compromised Mac.

    The research is the work of a reverse engineering hobbyist and security researcher named Trammel Hudson, who gave a talk at the recent 31C3 event in Hamburg, Germany, during which he described an attack he called Thunderstrike. Thunderstrike is a Mac OS X bootkit delivered either through direct access to the Apple hardware (at the manufacturer or in transport), or via a Thunderbolt-connected peripheral device; the latter attack vector exposes vulnerable systems to Evil Maid attacks, or state-sponsored attacks where laptops are confiscated and examined in airports or border crossings, for example.

    - See more at: http://threatpost.com/first-public-mac-os-x-firmware-bootkit-unleashed/110287#sthash.uRZU85nI.dpuf



    The end result is the installation of malicious firmware on an Apple machine that would survive reinstallation of OS X or replacement of the Solid State Drive (SSD). Thunderstrike is undetectable, Hudson said, and can be used for root access to an infected computer, putting all of its data and web traffic at risk for interception and monitoring.

    Hudson began a dialogue with Apple about his findings in 2013 and Apple has addressed the issue with updated firmware shipping in MacMinis and iMac Retina computers. Macbooks, however, remain vulnerable because they are subject to downgrade attacks where an attacker could force older firmware vulnerable to this attack to run Thunderstrike, he said.

    Thunderstrike’s persistence, unlike other bootkits that would be wiped upon a re-installation of the operating system, for example, is due to its ability to write to the flash ROM on the motherboard, meaning that there’s nothing a software refresh would do to wipe it.

    Hudson’s bootkit takes advantage of a vulnerability in how Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update. In these cases, the flash is left unlocked, allowing an Option ROM, or peripheral firmware, to run during recovery mode boots. It then has to slip past Apple’s RSA signature check. Apple stores its public key in the boot ROM and signs firmware updates with its private key. The Option ROM over Thunderbolt circumvents this process and writes its own RSA key so that future updates can only be signed by the attacker’s key. The attack also disables the loading of further Option ROMs, closing that window of opportunity. A weaponized version of this attack would have free ring0 reign over the system.

    - See more at: http://threatpost.com/first-public-mac-os-x-firmware-bootkit-unleashed/110287#sthash.uRZU85nI.dpuf





    Hudson said this the first OS X firmware bootkit he is aware of.

    “Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords,” Hudson said. “It can’t be removed by software since it controls the signing keys and update routines. Reinstallation of OS X won’t remove it. Replacing the SSD won’t remove it since there is nothing stored on the drive.”

    Hudson said the possibility exists that Thunderstrike attacks could also eventually be done remotely given the Dark Jedi Coma research presented at 31C3 by Corey Kallenberg and Rafal Wojtczuk. Their talk exposed vulnerabilities in UEFI—the replacement for BIOS—and System Management Mode, a privileged execution mode on Intel machines. The vulnerabilities uncovered by Kallenberg and Wojtczuk allow an attacker to re-flash firmware and run their own malicious firmware. The Department of Homeland Security this week issued an advisory about these vulnerabilities

    - See more at: http://threatpost.com/first-public-mac-os-x-firmware-bootkit-unleashed/110287#sthash.uRZU85nI.dpuf



    http://threatpost.com/first-public-mac-os-x-firmware-bootkit-unleashed/110287
     
  2. megadunderhead

    megadunderhead Regular member

    Joined:
    Jan 14, 2012
    Messages:
    542
    Likes Received:
    2
    Trophy Points:
    28
    Garbage don't even think this is real because apple would have already patched the firmware on the devices in question if it was a real threat.

    On a interesting note is this all you do on here i am just curious because you keep posting information to sites that are incorrect about there data or don't know what they are talking about.
     
  3. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,087
    Likes Received:
    84
    Trophy Points:
    128
    megadunderhead, shutup as you are not the moderator on this site nor will you ever be one here.
     
  4. megadunderhead

    megadunderhead Regular member

    Joined:
    Jan 14, 2012
    Messages:
    542
    Likes Received:
    2
    Trophy Points:
    28
    Nor did i say i was one.

    The last 2 post where from sites with false information about viruses on mac that where garbage claims.

    I would just like more then one source one source doesn't make it a fact as you have told me several times.
     

Share This Page