You can watch Hudson’s entire presentation and read an annotated version of the talk, but the gist is that the attack takes advantage of a Thunderbolt flaw that allows custom code like a bootkit to be written to the system using Thunderbolt port. Thunderstrike takes advantage of a flaw in the Thunderbolt Option ROM that was first disclosed in 2012. Hudson’s proof-of-concept goes a number of steps further (past attempts to exploit the flaw by writing new code to the ROM at boot left researchers with bricked machines).
Ultimately, it shows that an attacker could use the Thunderbolt port to install a custom bootkit. This bootkit could even replicate itself to any other Thunderbolt-attached device, which means it could spread across networks.
The scary thing is that because this code is in its own separate ROM, the attack can’t be stopped by re-installing OS X or swapping out the hard drive.
Hudson even showed that he cold replace the cryptographic keys Apple uses for signing firmware with another key, which would prevent future legitimate firmware updates from being installed.
Apple has already patched part of the vulnerability in the most recent Mac mini and on the iMac with 5K Retina Display.
That said, the nature of this sort of vulnerability just highlights that computer security is as much about access control as it is about passwords and hardened software. Read more…