HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Macs Vulnerable To Virus That Can't Be Removed
- Thread starter HardOCP News
- Start date
DeChache
Supreme [H]ardness
- Joined
- Oct 30, 2005
- Messages
- 7,087
Only use my own Ethernet adapter got it.
TeeJayHoward
Limpness Supreme
- Joined
- Feb 8, 2005
- Messages
- 12,271
"Can't be removed"?
If it can be flashed, it can be re-flashed. This is a hardware attack that operates pre-OS. The same attack would work on a Windows system, a UNIX system, etc.
TFA said:
If it can be flashed, it can be re-flashed. This is a hardware attack that operates pre-OS. The same attack would work on a Windows system, a UNIX system, etc.
StoleMyOwnCar
2[H]4U
- Joined
- Sep 30, 2013
- Messages
- 3,004
... He's modifying the firmware on the machine by including custom options ROM to run, on a physical device that you hook into the machine. I mean yeah that's some badly coded firmware by Apple, but the alternative is... what? Some kind of signing?
I mean the tl;dr of this is don't buy any thunderbolt devices from China or something. I'm just kind of curious as to why Apple thought that the thunderbolt slot needed the ability to literally add arbitrary firmware to the machine. I mean for one, isn't the rom module usually fairly low capacity? If code can be added to it that easily, then it can run out of space simply by the user swapping out enough thunderbolt devices by default.
I don't see why this made such a big headline aside from some reporter being desperate. Because this isn't an easy attack to carry out, at all. For a virus to do this... it would have to.... what, reflash the firmware on a thunderbolt attached device through the OS and then use the device to reflash the computer? I don't know much about Mac so I'm not even sure how the hell they'd go about that.
I mean the tl;dr of this is don't buy any thunderbolt devices from China or something. I'm just kind of curious as to why Apple thought that the thunderbolt slot needed the ability to literally add arbitrary firmware to the machine. I mean for one, isn't the rom module usually fairly low capacity? If code can be added to it that easily, then it can run out of space simply by the user swapping out enough thunderbolt devices by default.
I don't see why this made such a big headline aside from some reporter being desperate. Because this isn't an easy attack to carry out, at all. For a virus to do this... it would have to.... what, reflash the firmware on a thunderbolt attached device through the OS and then use the device to reflash the computer? I don't know much about Mac so I'm not even sure how the hell they'd go about that.
It's not a virus attack, it's a physical attack. All you have to do is plug in the weaponized device and reboot the computer.
They talk about the "evil maid" attack, as well as government agencies intercepting the hardware and plugging it in.
B00nie
[H]F Junkie
- Joined
- Nov 1, 2012
- Messages
- 9,327
Requires physical access to my computer. Meh.
Compared to WIndows fly-by infections while visiting a random website this doesn't seem awfully worrying
Compared to WIndows fly-by infections while visiting a random website this doesn't seem awfully worrying
B00nie
[H]F Junkie
- Joined
- Nov 1, 2012
- Messages
- 9,327
Oh geez, I guess I'll have to switch to a Windows laptop now as they're superior in protection.
No, wait.. http://events.ccc.de/congress/2014/Fahrplan/events/6129.html
No, wait.. http://events.ccc.de/congress/2014/Fahrplan/events/6129.html
- Joined
- Aug 20, 2006
- Messages
- 13,000
The real virus is Mac users.
Yes, at this time you need physical access to use this exploit, which is called Thunderstrike. This would be an issue when, say, a government is in possession, however briefly, of your Mac, such as when you travel, or if you leave it behind in your motel room and a secret agent wants to... oh, this is going all Hollywood now, isn't it?
What is somewhat more of a concern is if an attack dubbed Dark Jedi (therefore making it impossible to web search for, here you go) combined with Thunderstrike allowed for remote attacks on Mac firmware, but if Dark Jedi attacks end up being successful enough to take off in the wild, anyone with a UEFI Intel board would be having a big damned problem, not just Apple.
What is somewhat more of a concern is if an attack dubbed Dark Jedi (therefore making it impossible to web search for, here you go) combined with Thunderstrike allowed for remote attacks on Mac firmware, but if Dark Jedi attacks end up being successful enough to take off in the wild, anyone with a UEFI Intel board would be having a big damned problem, not just Apple.
StoleMyOwnCar
2[H]4U
- Joined
- Sep 30, 2013
- Messages
- 3,004
That's what I kind of meant: I don't see how a virus could essentially hijack the firmware of a thunderbolt-connected device. This seems like it's only possible if used physically. Which means this topic name is horribly misleading and just clickbait. This article basically seems to be saying that the software on the Mac rom chip essentially just asks if the thunderbolt-connected device's firmware has anything it wants to run (as I understand it) at boot time. It's basically doing an eval on arbitrary code.
Though, you do have to consider that many devices, ethernet devices and routers especially, allow some kind of software-based firmware update. If that process can be hijacked by a virus that knows the ins and outs of it, I guess they could do it? Shrug.
Sure, it's not really a virus at all, its a bootkit. Similar to how the vast majority of Windows malware are trojans and not viruses even though they are often called that.
StoleMyOwnCar
2[H]4U
- Joined
- Sep 30, 2013
- Messages
- 3,004
You can correct me if I'm wrong, but I believe "bootkits" modify the master boot record on the HDD? BIOS-based options extensions load before even that. I think this link talks about them:
http://en.wikipedia.org/wiki/BIOS#Extensions_.28option_ROMs.29
http://en.wikipedia.org/wiki/Master_boot_record#System_bootstrapping
Also if you google bootkits, they specifically define it as modifying the MBR, not the doing a rom extension.
Heck here's a PDF about this type of attack (there are also other mentions of it if you google Extension option ROM malware or something.
https://www.blackhat.com/presentations/bh-usa-07/Heasman/Presentation/bh-usa-07-heasman.pdf
The proper term for this kind of exploit would apparently be "firmware rootkit", as seen in the wikipedia entry for rootkit.
Okay, that's boring. How about we call it a firmkit, or... a footkit? There we go, I'd like to see a news anchor stumble over footkit and incur a fine from the FCC.
Okay, that's boring. How about we call it a firmkit, or... a footkit? There we go, I'd like to see a news anchor stumble over footkit and incur a fine from the FCC.
s3rvb0t
[H]ard|Gawd
- Joined
- Aug 22, 2006
- Messages
- 1,847
QFT
EndlessRed
Limp Gawd
- Joined
- Mar 18, 2013
- Messages
- 150
Yeah, uhm, people with classified/confidential data always use Windows or Linux, because you can't actually get any real work done with macs. What are they gonna hack from those useless slabs? Steve Jobs biographies? Kiddie porn? Weed?
RyanLucier
Gawd
- Joined
- Nov 23, 2006
- Messages
- 667
to be fair, this is already patched.
And it is simply a proof of concept, not out in the wild.
Oh, and you need physical access...
And it is simply a proof of concept, not out in the wild.
Oh, and you need physical access...
pavementeater
Limp Gawd
- Joined
- Apr 30, 2007
- Messages
- 152
It's not really patched...more like Apple did a tweak / work around. Apple not can fix the issue with out adding TPM chip /hardware back on to their main boards and just disabling PCIE Thunderbolt is not a real solution...Re-flashing wont really work.
Apple and anyone not running some kind of hardware tmp solution need to really step up...because at the moment these hacks are a long process to do to get things to production and implementation , u have to have some kind of Thunderbolt cable or added hardware to plug into the device at boot but in the right / wrong hands someone could develop a way to have this become remotely installable ... The author of this thinks it could be done by remote and worse than Stuxnet and as stated on his page and earlier post here there is the whole Dark Jedi attack and this as a combo thing.
the 31C3video for the whole talk about this 60+ minutes long ... or even went to the website where Trammell Hudson talks about the whole process in lots of detail.
Page
https://trmm.net/Thunderstrike_31c3
Video https://www.youtube.com/watch?v=5BrdX7VdOr0
there are two things this person did his own hack and the 2012 Thunderstrike exploit.
rat
Supreme [H]ardness
- Joined
- Apr 16, 2008
- Messages
- 4,915
Except it can't because the exploit is using DMA access and specifics of the Mac hardware. This is an Apple problem.
BiH115
Gif Guy
- Joined
- May 12, 2011
- Messages
- 9,327
I really have to applaud this post. I'm serious. This level of trolling isn't easy to find anymore. The subtle, sneaky comment that's slipped in like this. Just enough to piss quite a few people off, but just enough to not draw too much attention.
Hats off to you sir.
amddragonpc
[H]ard|Gawd
- Joined
- Sep 20, 2012
- Messages
- 1,996
Welcome to Earth, Apple!