The more articles on IT security I read...
...the less secure i feel.
Researcher Trammel Hudson has developed a means to foist a new class of bootkits onto Macs, using Thunderbolt devices using a form of USB 'evil maid' attacks. Hudson will present the finding at the upcoming Chaos Communications Congress in Germany next week and said the attacks are easy to perform using the Thunderbolt ports …
The attack could also infect Thunderbolt devices allowing it to quietly spread across network air-gaps.
Indeed, that would seem to be the primary use for such an attack. My question would then be how many organizations use Macs as the primary building block of their secure, air-gapped, networks? The other obvious worthwhile target is consumers, which calls into question the utility of such an attack as this would imply the need to recoup the costs of both the equipment and effort needed to carry it out.
I know a few places which use air gapped macs, for the same usual reasons, they are the front end onto some expensive science kit which has a six month waiting list to use (two if you can bribe the tech to stay after 8pm). As for far too much other stuff, it requires you to have a very specific version of the OS, and usually no updating or much in the way of security. Thankfully USB drives are so cheap these days that the current method is that you MUST use a brand new stick each time.
Google does a fair bit of stuff using macs as the base platform, but unsure if anything they are doing needs to be gapped rather than secured other ways.
In general this falls under the "don't plug anything into the important machine" so should hopefully only be able to target those who aren't exercising the correct amount of paranoia for their position.
I would say that USB is a much better attack vector, mainly because you can modify a peripheral to have a USB drive stashed inside with your payload on it. Send someone a nice shiny mouse or keyboard and it'll end up plugged in without them checking with IT.
If you can touch it, you can own it. If you can get someone else to touch it for you, you can also own it.
This exploit needs physical access to the Macbook. viz an infected TBold drive to be connected via WIRE to the target system.
Wouldn't it just as easy to walk out the door with it? (Apart from a 27in iMac Retina that is)
another of the seemingly eldless list of threats that might just possibly happen.
Now, if the drives themselves were somehow to contain this at point of manufacture then the fanbois can really start pissing themselves in their designed nappies.
Until then? Meh!
Not really. Your local Temple Of Apple Genius Bar Design Holiness is the obvious vector.
Put it on a Mac that you're having the non-replaceable SSD replaced on. Boom. Suddenly every "genius" is infected and every cultist pleasured by that "genius" is probably infected too.
Assuming the kit phones home (via at least seven proxies!) you just sit back and collect your nicked data, safe in the knowledge that all the machines you infected are owned by people who are not only wealthy but also too stupid to fix their own computers.
agreed. Whilst research into closing off these vulnerabilities is always good, log this somewhere below unknown USB keys in the threat hierarchy.
If I had a farm of Mac Pro's in an office somewhere I would be slightly more worried, but since my MBA rarely leaves my house or my sight when travelling I dont see this as a big risk.
Thunderbolt is pretty much a couple PCIe lanes, Display Port, and a couple other interfaces made external. I always get a little nervous when an external interface has DMA; a proper IOMMU can only block most attacks and even then it can't block a peripheral from corrupting any other peripheral that uses the same memory area (such as other peripherals on the same chain).