14 DAY TRIAL // A security expert has issued a proof of concept where a custom hack can be used to infect Thunderbolt MacBooks over the Apple Extensible Firmware Interface (EFI), with no means for the user to detect the hack, while reinstalling the OS will not remove it.
Dubbed Thunderstrike, the vulnerability reportedly allows a custom-crafted malicious Thunderbolt device to flash code to the boot ROM. In a lengthy video posted to ccc-tv, Hudson demoes how persistent firmware modifications can be fed into the EFI boot ROM of MacBooks equipped with Thunderbolt ports.
No way for you to fix it on your own
“The bootkit can be easily installed by an evil-maid via the externally accessible Thunderbolt ports and can survive reinstallation of OSX as well as hard drive replacements,” says the security researcher. “Once installed, it can prevent software attempts to remove it and could spread virally across air-gaps by infecting additional Thunderbolt devices.”
There’s a lengthy analysis of the flaw over at trmm.net, also courtesy of Trammell Hudson. There, he explains how replacing the hard drive has no effect on the hack, since it doesn’t depend on anything stored on the disk, while reinstalling OS X from scratch also can’t erase the hack.
Apple knows
The only way to thwart it is to restore the stock firmware, which only Apple can do by pushing out a patch. In the lengthy FAQ, Hudson reveals that Apple is aware of the problem, and that he and his fellow security buffs have filed not one, but multiple such bugs to the company over the course of two years.
Hudson confirms that Apple is preparing a fix but only for part of the vulnerability. It will also require testing to see if Apple’s patch indeed kills the hack. Hudson's presentation involving the hack was also found on YouTube, which allowed us to embed it right in this article for your viewing convenience. Enjoy!
