Sorry Apple fans, your precious Macs are at risk -- beware of Thunderbolt-injected rootkits


Apple makes really great products; Mac computers included. I respect the closed garden and restrictive hardware from a quality perspective, but I take umbrage with the high prices and questionable business practices. While OS X may look pretty from the outside looking in, after playing with it for long periods of time, it becomes apparent that all which glitters is not gold. My interest in Apple's operating system was very short-lived, as Microsoft's Windows is just a superior product.

Apple promoters are quick to point out the safety and security of Macs, as Apple is less likely to be targeted by malicious software and contains fewer vulnerabilities. As the smart people know, however, OS X is only "safer", as it has a far smaller install base. In other words, because of its lack of popularity, bad guys pay less attention -- its increased safety and security is a myth. I hate to break it to you Apple fans, but it turns out your precious Macs are currently at risk. Comically, this vulnerability is found in Thunderbolt -- you know, that wildly unpopular standard that Apple seems to love, but its accessories are too costly for many users. True, some Windows machines have Thunderbolt, but it is mostly an Apple affair, and now the fruit-logo company's computers are vulnerable because of its method of implementation.


"It is possible to use a Thunderbolt Option ROM to circumvent the cryptographic signature checks in Apple's EFI firmware update routines. This allows an attacker with physical access to the machine to write untrusted code to the SPI flash ROM on the motherboard and creates a new class of firmware bootkits for the MacBook systems. There are neither hardware nor software cryptographic checks at boot time of firmware validity, so once the malicious code has been flashed to the ROM, it controls the system from the very first instruction. It could use SMM, virtualization and other techniques to hide from attempts to detect it", says Trammell Hudson.

Hudson further explains, "our proof of concept bootkit also replaces Apple's public RSA key in the ROM and prevents software attempts to replace it that are not signed by the attacker's private key. Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the harddrive has no effect. A hardware in-system-programming device is the only way to restore the stock firmware. Additionally, other Thunderbolt devices' Option ROMs are writable from code that runs during the early boot and the bootkit could write copies of itself to new Thunderbolt devices. The devices remain functional, which would allow a stealthy bootkit to spread across air-gap security perimeters through shared Thunderbolt devices".

Yikes. My colleague Mihaita touched on this earlier today; it is extremely embarrassing for Apple, and makes its computers highly susceptible to attack. Believe it or not, it is based on a two-year old vulnerability. What makes this particularly nasty, is that it doesn't matter if your computer is password protected; crafty hackers can simply wreak havoc by accessing your Thunderbolt port with a malicious device. Hell, malicious manufacturers can embed this in legitimate products, creating stealth-like hardware that users willingly install.

Does this make you trust OS X less? Tell me in the comments.

Photo CreditAngela Waye / Shutterstock

25 Responses to Sorry Apple fans, your precious Macs are at risk -- beware of Thunderbolt-injected rootkits

© 1998-2022 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.