AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Display maid for os x12/19/2023 ![]() Does anyone actually use evil-maid attacks? To properly close the vulnerability for users concerned about the physical security of their systems, there needs to be a way to disable Thunderbolt's PCIe functions entirely. Additionally, if the S3 "Dark Jedi Coma" attack can be launched from the Option ROM, then the boot ROM can be overwritten from a normal boot. This means that a customs official or other evil-maid attacker can still install bypass firmware passwords and install backdoors into your system before OS X is started. However, this firmware version are still vulnerable to Snare's 2012 attack against boot.efi since the systems will continue to load Option ROMs from attached Thunderbolt devices during normal boots. All pre-Yosemite machines remain vulnerable to Thunderstrike unless Apple releases firmware updates for them as well. The change log does not mention downgrade prevention, although reports in the media are that this boot ROM version will prevent rolling back to vulnerable versions. This change does prevent the current proof of concept of Thunderstrike from being able to rewrite the ROMs. This issue was addressed by not loading option ROMs during updates.ĬVE-2014-4498 : Trammell Hudson of Two Sigma Investments Impact: A malicious Thunderbolt device may be able to affect firmware flashingĭescription: Thunderbolt devices could modify the host firmware if connected during an EFI update. The APPLE-SA-4 OS X 10.10.2 and Security Update 2015-001 include in the change log:Īvailable for: OS X Yosemite v10.10 and v10.10.1,įor: MacBook Pro Retina, MacBook Air (Mid 2013 and later), iMac (Late 2013 and later), Mac Pro (Late 2013) And the "Dark Jedi Sleep" attack from 31C3 might be usable against all Macs. However, while this does prevent the Thunderstrike proof of concept from being able to circumvent the signature process, the older MacBooks can be subjected to a downgrade attack to a vulnerable version. It is currently shipping for the iMac Retina and Mac Mini, and should be available soon for older systems. They are preparing a fix for part of the vulnerability that will not load Option ROMs during a firmware update and is described in the mitigation section of the talk. We have filed several Radar bugs over the past two years related to EFI vulnerabilities and been in communication with them. You can think of it as the Ebola of computer threats: catching the disease carries devastating consequences, but the likelihood of becoming infected is relatively small. There is no room for doubt here: Thunderstrike, like all boot- and rootkits, is a nasty threat that can wrest control over everything you do on your computer. ![]() One of the best tl dr descriptions was by Brian Donohue at Kapersky in What You Should Know About the Thunderstrike Mac Bootkit: Rich Mogull's well written two part article lays it out nicely: Thunderstrike Proof-of-Concept Attack Serious, but Limited, pointed out how unlikely such an attack was against normal users, and Your Risk Isn’t My Risk, which describes how this sort of vulnerability could be used in a targeted attack. ![]() Probably not, unless you're a certain type of high-value target. To the best of our knowledge there are no Mac firmware bootkits in the wild and Thunderstrike is only a proof-of-concept that does not have any malicious payload. Thunderstrike EFI bootkit FAQ General Is Thunderstrike "in the wild"? If your question isn't answered here, send email to preferably with PGP and I'll do my best to add an answer to your questions to the FAQ. The Thunderstrike page has an overview of the vulnerability and there is also a much longer annotated version of my 31c3 presentation.
0 Comments
Read More
Leave a Reply. |