How serious is Thunderstrike?
Published January 19th, 2015 at 10:59 AM EDT , modified January 29th, 2015 at 4:54 AM EDT
A few weeks ago, Trammell Hudson demonstrated a way to permanently infect a Mac’s firmware using an exploit involving the Thunderbolt port on recent Macs. There has been a lot of very excellent information written about this, such as Rich Mogul’s Thunderstrike article in TidBITS. Although I can’t really provide any additional information, I can at least give readers my own perspective.
First, it’s important to understand what Thunderstrike is. It is an exploit involving a malicious Thunderbolt device, such as a modified Thunderbolt Gigabit ethernet adapter, being connected to the target Mac. The attacker can simply connect the malicious device, reboot the computer, and that’s it… the firmware has been modified. Worse, the modification can be made in such a way that it would be very hard to detect, and would be impossible to reverse through simple firmware updates.
Obviously, this is a very tempting method to use for “evil maid” attacks, in which a malicious person has temporary access to your computer. However, another aspect of this exploit means it could spread virally. A theoretical Thunderstrike virus could infect any Thunderbolt devices connected to a compromised Mac. Thus, such a virus could spread through infected Thunderbolt devices that get shared between computers.
Fortunately, there are no known Thunderstrike exploits in the wild. Of course, that doesn’t necessarily mean anything, since such an exploit would take time to be detected, and would probably be used sparingly. Apple has fixed the issue in the hardware of some recent Macs, and is reportedly working on a firmware update to fix it in older Macs.
However, that firmware update would not provide full protection, as an attacker could potentially perform an additional step to downgrade the firmware, then install the exploit. This means that any Macs with vulnerable hardware will continue to be vulnerable, regardless of firmware updates. The only way to prevent such an exploit on a vulnerable Mac would be to modify the hardware somehow (voiding the warranty) or to maintain tight control of the machine to prevent any untrusted Thunderbolt devices from being connected.
Most people will never be affected by any Thunderstrike exploits that end up appearing in the wild. However, in certain situations, you simply cannot predict whether a Thunderstrike attack might be used. Remember that there are two possible scenarios:
- Unmonitored physical access to the computer by a malicious individual
- Restarting the computer while connected to an infected Thunderbolt device
For example, if you have to hand over your laptop in customs while traveling, a malicious customs agent could easily install an exploit. In the second case, if you connect to something like a shared Thunderbolt projector, you could potentially end up infected by a future Thunderstrike virus. It’s very unlikely that these situations would lead to an exploit at this time, but not impossible, and it may become more likely in the future.
My advice would be to keep your Mac close, or locked up in a safe environment, at all times. If your home is not a safe environment, due to a malicious roommate or hostile spouse or relative, take it with you any time you leave. If you plan to travel internationally, don’t take a Thunderbolt-equipped Mac with you. Find an older Mac without Thunderbolt, put what you need for your travels on it and take that instead. If you need to leave a Mac unattended in a hotel room, lock it up somehow, either in a locking case or in the hotel safe. Do not connect it to unfamiliar Thunderbolt devices, or if you must do so, be sure not to restart the computer while such a device is connected.
Some people have suggested putting epoxy in the Thunderbolt ports. This is not a solution I would recommend, since it will permanently ruin those ports. Still, for people in high-risk positions who are okay with destroying part of their computer’s hardware, this would be one option. It’s important to understand, though, that such a technique does not nullify other threats involving physical access, such as potential access to any unencrypted data on the hard drive.
It’s important to remember that Thunderstrike is just the latest threat to your security, and just as the danger of this threat should be neither over- nor under-stated, it’s also important to remember to be vigilant against other threats. Keep in mind that you are the biggest weak point in your computer’s security, and knowing what the threats are and how to avoid them is a big part of staying safe.
Tuesday, January 27, 2015 @ 3:30 pm EST: Mac OS X 10.10.2 has been released by Apple. Supposedly, this update contains a fix for the Thunderstrike vulnerability, and also prevents rollback of the firmware in order to install Thunderstrike on older, vulnerable firmware. Unfortunately, I’m relying entirely on third-party reports for this information, as Apple’s security updates page still has no information about the update. (That’s an annoying habit Apple has gotten into lately… lately, that information has always lagged behind the availability of the updates.)
I have sent an e-mail to Trammell Hudson to get his opinion on this update. I’ll add more here when I know more.
…a little later: Apple has posted the information about Security Update 2015-001, and Trammell Hudson has gotten back to me. He reports in an update in the FAQ on his Thunderstrike page that this update does indeed prevent the Thunderstrike attack, though he also points out that the documentation makes no mention of the supposed rollback prevention feature that some media outlets have talked about. Is it there, but just undocumented, or were the folks writing for those media outlets smoking something? Unknown at this point.
Thursday, January 29, 2015 @ 5:00 am EST: A detail I didn’t notice before: the update that fixes the Thunderstrike vulnerability was only made available for machines running Yosemite. Vulnerable Macs running older versions of Mac OS X remain vulnerable! If you have a Mac with Thunderbolt and an older system, it would be wise to upgrade to Yosemite as soon as you can, if you are able to.