A serious security flaw for Macs has been revealed at the conference Chaos Communication Congress that allows a malicious person can install a so-called backdoor on a computer simply by briefly have physical access to it. Through a prepared Thunderbolt accessories, new firmware – called firmware – installed on your computer when it starts up and loads it is called Option ROM.
A functional concept of the attack was demonstrated at the conference by Trammell Hudson, who discovered the deficiency. Hudson is an employee of the US technology-related hedge fund Two Sigma Investments, where he worked to secure the fund’s own Macs. This malware has been named Thunder Strike, by installing it through the Thunderbolt port.
Not possible to identify an attack
There are no known examples of the attack used in the open, but there are in the current situation no way to detect such an attack. This is because the Thunder Strike has the ability to install code in Mac’s EFI firmware by updating it. EFI (Extensible Firmware Interface) is the most basic program that runs when the computer starts, and is responsible for loading including accessories such as monitor, keyboard and built-in memory and other processes before the actual operating system is loaded.
The installed code replaces the encryption key that Macs use to verify that only approved firmware is installed. Thereafter, the connected Thunderbolt device to install firmware that can not be easily removed by someone who does not have the new encryption key. Since the malicious code is in the firmware, it will remain even after a reinstall of the operating system or even a hard drive formatting.
To install the Thunder Strike on one computer, thus nothing more than a few seconds of physical access to the computer. Although the machine is locked with a password is only required a reboot. Neither a firmware password or encryption with FileVault protects because the installation of option ROM occurs before these loaded by the computer.
The attack is installed through the Thunderbolt port.
Image: Trammel Hudson
Can be used by the NSA
Trammell Hudson’s presentation of Thunder Strike is available as a YouTube video, in which Hudson describes in detail the process. According to him, it is also easy to imagine how the Thunder Strike could be applied, for example, the US intelligence community NSA. Edward Snowden has previously revealed how the NSA can open the packets containing computer equipment sent by post. The NSA can open the package, modify the equipment and pass it on.
Another possible scenario is a walkaway computer in a hotel room, where agents can act staff and strike at the computer while they change Towels, says Hudson. Checks at border customs is another situation where computers often leaves the owner’s hands temporarily, and something that can not protect themselves against any efficient way.
Trammell Hudson says it’s Mac computers from 2011 onwards which are vulnerable to the attack, which was when Thunderbolt ports began to appear. He has tested six or seven different models.
Hudson has been in contact with Apple about the problem and say they have released an update to the latest Mac models Imac 5K and the new Mac Mini to Option ROM can no longer be installed during the update of the firmware. This update will also soon be released for older Macs.
This protects against Thunder Strike in its present version, but the computers could still be vulnerable to other variants, as Option ROM still be charged under a normal startup. Older Macs can still be attacked by an older version of the firmware is installed, which is susceptible to Thunder Strike.
A more drastic protection against attacks is to paste back the Thunderbolt port on their computer. This hinders access, but also of course to the Thunderbolt port can not be used for any other purpose.
No comments:
Post a Comment