back to article Hack flings bootkits from Macs' Thunderbolts

Researcher Trammel Hudson has developed a means to foist a new class of bootkits onto Macs, using Thunderbolt devices using a form of USB 'evil maid' attacks. Hudson will present the finding at the upcoming Chaos Communications Congress in Germany next week and said the attacks are easy to perform using the Thunderbolt ports …

  1. Mitoo Bobsworth
    Stop

    The more articles on IT security I read...

    ...the less secure i feel.

  2. Robert Helpmann??
    Childcatcher

    Thunderbolt devices used as spark gaps?

    The attack could also infect Thunderbolt devices allowing it to quietly spread across network air-gaps.

    Indeed, that would seem to be the primary use for such an attack. My question would then be how many organizations use Macs as the primary building block of their secure, air-gapped, networks? The other obvious worthwhile target is consumers, which calls into question the utility of such an attack as this would imply the need to recoup the costs of both the equipment and effort needed to carry it out.

    1. MonkeyCee

      Re: Thunderbolt devices used as spark gaps?

      I know a few places which use air gapped macs, for the same usual reasons, they are the front end onto some expensive science kit which has a six month waiting list to use (two if you can bribe the tech to stay after 8pm). As for far too much other stuff, it requires you to have a very specific version of the OS, and usually no updating or much in the way of security. Thankfully USB drives are so cheap these days that the current method is that you MUST use a brand new stick each time.

      Google does a fair bit of stuff using macs as the base platform, but unsure if anything they are doing needs to be gapped rather than secured other ways.

      In general this falls under the "don't plug anything into the important machine" so should hopefully only be able to target those who aren't exercising the correct amount of paranoia for their position.

      I would say that USB is a much better attack vector, mainly because you can modify a peripheral to have a USB drive stashed inside with your payload on it. Send someone a nice shiny mouse or keyboard and it'll end up plugged in without them checking with IT.

      If you can touch it, you can own it. If you can get someone else to touch it for you, you can also own it.

  3. Steve Davies 3 Silver badge
    Holmes

    Well duh!

    This exploit needs physical access to the Macbook. viz an infected TBold drive to be connected via WIRE to the target system.

    Wouldn't it just as easy to walk out the door with it? (Apart from a 27in iMac Retina that is)

    another of the seemingly eldless list of threats that might just possibly happen.

    Now, if the drives themselves were somehow to contain this at point of manufacture then the fanbois can really start pissing themselves in their designed nappies.

    Until then? Meh!

    1. dogged

      Re: Well duh!

      Not really. Your local Temple Of Apple Genius Bar Design Holiness is the obvious vector.

      Put it on a Mac that you're having the non-replaceable SSD replaced on. Boom. Suddenly every "genius" is infected and every cultist pleasured by that "genius" is probably infected too.

      Assuming the kit phones home (via at least seven proxies!) you just sit back and collect your nicked data, safe in the knowledge that all the machines you infected are owned by people who are not only wealthy but also too stupid to fix their own computers.

      1. Medixstiff

        Re: Well duh!

        The Commonwealth Bank in Australia was crowing about rolling out Mac's in their head office this year, that would be a nice target to try attack.

    2. Gordon 10

      Re: Well duh!

      agreed. Whilst research into closing off these vulnerabilities is always good, log this somewhere below unknown USB keys in the threat hierarchy.

      If I had a farm of Mac Pro's in an office somewhere I would be slightly more worried, but since my MBA rarely leaves my house or my sight when travelling I dont see this as a big risk.

    3. Mark 65

      Re: Well duh!

      Perfect for spies and security services no?

      I'm wondering whether this, like the firewire vulnerability, can be blocked by the same method - I vaguely remember setting some sort of password for part of the BIOS, I think to do with updating.

  4. Anonymous Coward
    Anonymous Coward

    Nice headline

    Gallileo!

  5. bn562

    I'm happy they forced an update. Lately, my MacBook has been running slowly. Seriously, over time it had lots of tiny problems and I couldn't stand it.

  6. Frankee Llonnygog

    When the nice man fixes your Mac

    Check if he's wearing size 13 DMs

  7. Crazy Operations Guy

    Not surprising

    Thunderbolt is pretty much a couple PCIe lanes, Display Port, and a couple other interfaces made external. I always get a little nervous when an external interface has DMA; a proper IOMMU can only block most attacks and even then it can't block a peripheral from corrupting any other peripheral that uses the same memory area (such as other peripherals on the same chain).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like