Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

What You Need to Know About the Thunderstrike 2 Worm

Wired has reported on new research being presented at this week’s Black Hat security conference on a proof-of-concept Mac worm that could spread through the Mac’s firmware, rather than software. While Wired’s piece makes this sound like a super worm capable of leaping through air gaps and infecting the world’s Macs, the reality is more mundane. The research itself is excellent and fascinating work from Trammell Hudson and Xeno Kovah, and as always we hope Apple patches all the flaws quickly, but this isn’t something most Apple users need to lose any sleep over.

Here are the answers to your most pertinent questions about this vulnerability.

What is Thunderstrike 2?

Thunderstrike 2 is the name of a new attack on Mac firmware that has evolved from the Thunderstrike research we discussed back in “Thunderstrike Proof-of-Concept Attack Serious, but Limited” (9 January 2015), also originally created by Trammell Hudson. The new version can infect a Mac’s firmware from malicious Web sites, email messages, and other common vectors. It will then hide in the firmware and replicate itself to any vulnerable connected hardware, including Thunderbolt network adapters and external hard drives.

The key difference from the original Thunderstrike is that the attack works through a malicious Web page, and once on the vulnerable Mac, infects any attached Thunderbolt device, which can then infect other vulnerable Macs. But don’t worry, this is self-limiting. It only works on Thunderbolt devices, and affects only vulnerable Macs.

Am I vulnerable?

Probably not. OS X 10.10.4 Yosemite breaks the proof-of-concept demonstration. That doesn’t mean Macs are immune from firmware attacks, but it does mean the current attack demonstration won’t work on Macs running the latest version of Yosemite.

Wait, this is just a demonstration? It isn’t being used for real yet?

That’s right. The researchers are the good guys, and this is just a proof-of-concept demonstration they wrote to show at the Black Hat security conference. Although firmware attacks have been seen in the wild (as reported by ThreatPost), they are very uncommon and typically used in advanced attacks, often against government-level targets.

Is this a new vulnerability?

Yes and no. The concept is based on earlier firmware vulnerabilities. According to articles, five new vulnerabilities were reported to Apple after the original Thunderstrike proof of concept. Of those, one has been patched, one has been partially patched, and three more are still being dealt with.

However, Apple also added code to block an attack from a Web page (or other software) from infecting the firmware. It may still be possible to attack the Mac’s firmware if the bad guy can gain physical access, but you don’t have to worry about your firmware becoming infected because you browsed to the wrong Web site.

So someone can infect me with a USB drive like how Iranian nuclear reactors were infected with Stuxnet?

No. This attack relies on Thunderbolt, which connects to your Mac in a different way than USB. It works only with Thunderbolt devices like network adapters and storage drives. That USB drive the nice NSA recruiter handed you is totally safe. Well, safe from Thunderstrike.

Can this worm jump air gaps like Wired says?

An air gap is a technique of protecting a sensitive system by unplugging it from any network and accessing it only directly or by hand-loading data from portable storage.

Thunderstrike 2 doesn’t magically jump air gaps. Someone needs to take an infected device and connect it to the air-gapped computer. If you’ve watched any hacker movie or TV show, you know this is a real way of attacking systems. But it isn’t the sort of thing average Mac users need to worry about, and those in secure environments already know to be careful (although they may still make mistakes).

Is Thunderstrike really a software worm?

A worm is software that spreads automatically from computer to computer without human interaction. In this case, an infected computer will infect something known as the option ROM on any vulnerable Thunderbolt device that’s attached. Then that device can infect any computer it’s connected to, and so on.

Yes, it’s a worm, and that’s the most interesting part of the research. But especially with the new patch in place, and the generally limited use of Thunderbolt, it would be hard for even a malicious version of this attack to spread very far.

Why are firmware attacks so bad?

Firmware is embedded in the hardware of your computer and runs below the level of the operating system. Thus, firmware infections can be invisible to any normal security detection or removal tools, and even swapping out the hard drive won’t eliminate the infection (you’d have to replace the logic board). Firmware attacks are extremely serious, persistent attacks when they work, but Apple and other computer manufacturers are working hard to make these already-difficult attacks even harder.

How can a network dongle infect my computer?

There are a bunch of different ways of connecting peripherals to computers. Most, like Thunderbolt, connect the device directly to special hardware chips in the computer that further connect to the processor and memory. This direct access is how manufacturers are able to make fast external hard drives and other devices; they “skip” the operating system and allow the computer to access the external hardware directly, just as if it were built in.

To make this possible, there is a little bit of software on a chip in the device that talks to special software on the chips in your computer, and all software can have vulnerabilities. Firmware attacks find vulnerabilities that enable them to overwrite the firmware on the chips in your computer, where they hide their malicious code (or, in this case, demonstration code). That firmware can then compromise the firmware on new, clean devices that are connected later on.

Firmware needs to be changeable, because the software embedded in it is never perfect and needs to be updated. This flexibility creates opportunities for attackers. Happily, Intel is adding features within the chips to make this a lot harder for attackers, and operating system vendors like Apple are adding their own protections.

What about the new USB-C port on the 12-inch MacBook?

USB is a different technology from Thunderbolt. While it might have its own vulnerabilities, Thunderstrike 2 doesn’t work with USB. USB-C is not vulnerable to this particular attack.

Is there anything I need to do?

No, nearly everyone can ignore Thunderstrike 2 entirely. The research really is excellent, compelling work that the Wired piece unfortunately turned into a bit of a fright-fest. The Web attack vector, in particular, is blocked in OS X 10.10.4. The worm can’t automatically jump air gaps — those in sensitive environments can easily protect themselves by being careful where they source their Thunderbolt devices, and this entire family of firmware attacks is likely to become a lot more difficult as hardware improves, and as device manufacturers update their firmware code.

I have no doubt similar attacks will continue to be used, especially against high-value targets, but the economics make it highly unlikely this is something we will ever see used at scale against consumers.

As I wrote this, I was at the Black Hat security conference (teaching a cloud security class). If you’ve noticed an uptick of security stories the past couple of weeks, that’s because Black Hat is one of the big research events where new and interesting vulnerabilities and attacks are made public. Some media outlets get carried away and forget to include the necessary context in their articles to help readers decide if they are personally at risk. This is unfortunate, since it detracts from the importance of security research and, at times, even makes security researchers seem like the bad guys attacking our computers.

This research plays an extremely valuable role in helping keep us all safe. Finding problems before the bad guys do, and reporting those problems to the vendors (as these researchers did to Apple), helps keep us all safer going forward. But when the research is reported by the media without sufficient context, it creates unwarranted fear. This is one of those situations where high-quality research is being blown out of proportion for page views. I suppose it’s still better than watching political ads.

 

Fujitsu ScanSnap Scanners — Save your business time and money
with our easy-to-use small ScanSnap Scanner line. Eliminate
paper piles by scanning documents, business cards, and receipts.
Visit us at: <http://budurl.me/sstb>
 

Comments about What You Need to Know About the Thunderstrike 2 Worm
(Comments are closed.)

Thomas_U  An apple icon for a TidBITS Contributor 2015-08-04 12:56
Thanks for this overview!
Bruce M Herman  2015-08-04 18:35
What is the status of Mavericks with respect to this problem? Also, if one upgrades now from Mavericks to Yosemite 10.4.4, does the OS installation examine the firmware to determine if it has been attacked?

Thanks for an excellent article!
Tom Van Vleck  2015-08-04 19:05
Does setting a firmware password protect against this attack?
Adam Engst  An apple icon for a TidBITS Staffer 2015-08-05 12:09
It doesn't help with the original Thunderstrike attack, so I doubt it will here either.
Anthony   2015-08-04 22:14
My 2010 Mac is running on 10.8.5 and I am close to illiterate when it comes to computers. I had endless problems using PCs but since using Macs for the last 8 years I've had zero problems.

Any suggestions as to what I need to do to protect my beloved little Mac? (including doing nothing)

Many thanks to all of you much smarter-than-me people. Cheers.
Curtis Wilcox  An apple icon for a Friend of TidBITS 2015-08-05 06:48
You should do nothing, this is just another demonstration of what's possible. All Intel-based Macs have the same kind of firmware for booting and these researchers have demonstrated how it's possible to alter that firmware through malicious code online. However, Mac firmware keeps changing and an attack on one version may not work on another. Importantly for your Mac in particular, it's too old to have Thunderbolt at all so its firmware can't be altered that way or serve as a vector. There's also a very good chance that any firmware-altering code would assume Thunderbolt support and would fail on your Mac.
Is it true that the wifi credentials are kept in NVRAM to be used by EFI Internet Recovery and by Find My Mac? Does NVRAM also hold portions of my keychain? Is it possible to access this information with this worm?
Adam Engst  An apple icon for a TidBITS Staffer 2015-08-05 15:28
Thunderstrike 2 is the second exploit mentioned that article. Rich is working on writing something about the first one still (which appeared later).
Dave Crockett  2015-08-05 16:08
Great! I've downloaded the .dmg of the 'fix' offered on the first item but not going to do anything with it until I get some kind of secondary verification that I should. Thanks, Adam (and Rich)!
Robert Fairbairn  2015-08-06 09:30
Here is another good article on this that also says. Do not overreact:
http://www.imore.com/thunderstrike-2-what-you-need-know
David C  2015-08-06 15:25
Great information, except that the mention of USB-C is incomplete. Yes, USB is a different vector, but the USB-C port on the new MacBook is ALSO a Thunderbolt-3 interface.

So while a USB device attached to that port (directly or via a USB hub) can't have Thunderstrike, an unknown device with a USB-C connector might actually be a Thunderbolt-3 device, which may be able to transmit Thunderstrike.
Curtis Wilcox  An apple icon for a Friend of TidBITS 2015-08-07 06:52
No, it's not. Thunderbolt 3 ports use a USB Type-C connector and support USB 3.1 but not all USB Type-C ports support Thunderbolt 3. The MacBook (Early 2015)'s doesn't, the MacBook was released in March but Intel didn't announce Thunderbolt 3 until June.

I hope future Macs will have Thunderbolt 3 but the first Mac with a USB Type-C connector never will.
Alan Sanders  2015-08-07 14:29
I've often wondered: Don't "proof of concept" public demos help malicious hackers apply the concepts being demonstrated?
George Cowie  2015-08-12 00:19
Thanks for all this information, which helped me put the Wired article in perspective. TidBits is always my first sources for checking out click bait articles (I am not claiming that Wired writes click bait) and articles that need a reality check.