This article originally appeared in TidBITS on 2015-08-04 at 9:38 a.m.
The permanent URL for this article is:
Include images: Off

What You Need to Know About the Thunderstrike 2 Worm

by Rich Mogull

Wired has reported [1] on new research being presented at this week’s Black Hat security conference on a proof-of-concept Mac worm that could spread through the Mac’s firmware, rather than software. While Wired’s piece makes this sound like a super worm capable of leaping through air gaps and infecting the world’s Macs, the reality is more mundane. The research itself is excellent and fascinating work from Trammell Hudson and Xeno Kovah, and as always we hope Apple patches all the flaws quickly, but this isn’t something most Apple users need to lose any sleep over.

Here are the answers to your most pertinent questions about this vulnerability.

What is Thunderstrike 2?

Thunderstrike 2 is the name of a new attack on Mac firmware that has evolved from the Thunderstrike research we discussed back in “Thunderstrike Proof-of-Concept Attack Serious, but Limited [2]” (9 January 2015), also originally created by Trammell Hudson. The new version can infect a Mac’s firmware from malicious Web sites, email messages, and other common vectors. It will then hide in the firmware and replicate itself to any vulnerable connected hardware, including Thunderbolt network adapters and external hard drives.

The key difference from the original Thunderstrike is that the attack works through a malicious Web page, and once on the vulnerable Mac, infects any attached Thunderbolt device, which can then infect other vulnerable Macs. But don’t worry, this is self-limiting. It only works on Thunderbolt devices, and affects only vulnerable Macs.

Am I vulnerable?

Probably not. OS X 10.10.4 Yosemite breaks the proof-of-concept demonstration. That doesn’t mean Macs are immune from firmware attacks, but it does mean the current attack demonstration won’t work on Macs running the latest version of Yosemite.

Wait, this is just a demonstration? It isn’t being used for real yet?

That’s right. The researchers are the good guys, and this is just a proof-of-concept demonstration they wrote to show at the Black Hat security conference. Although firmware attacks have been seen in the wild (as reported by ThreatPost [3]), they are very uncommon and typically used in advanced attacks, often against government-level targets.

Is this a new vulnerability?

Yes and no. The concept is based on earlier firmware vulnerabilities. According to articles, five new vulnerabilities were reported to Apple after the original Thunderstrike proof of concept. Of those, one has been patched, one has been partially patched, and three more are still being dealt with.

However, Apple also added code to block an attack from a Web page (or other software) from infecting the firmware. It may still be possible to attack the Mac’s firmware if the bad guy can gain physical access, but you don’t have to worry about your firmware becoming infected because you browsed to the wrong Web site.

So someone can infect me with a USB drive like how Iranian nuclear reactors were infected with Stuxnet?

No. This attack relies on Thunderbolt, which connects to your Mac in a different way than USB. It works only with Thunderbolt devices like network adapters and storage drives. That USB drive the nice NSA recruiter handed you is totally safe. Well, safe from Thunderstrike.

Can this worm jump air gaps like Wired says?

An air gap is a technique of protecting a sensitive system by unplugging it from any network and accessing it only directly or by hand-loading data from portable storage.

Thunderstrike 2 doesn’t magically jump air gaps. Someone needs to take an infected device and connect it to the air-gapped computer. If you’ve watched any hacker movie or TV show, you know this is a real way of attacking systems. But it isn’t the sort of thing average Mac users need to worry about, and those in secure environments already know to be careful (although they may still make mistakes).

Is Thunderstrike really a software worm?

A worm is software that spreads automatically from computer to computer without human interaction. In this case, an infected computer will infect something known as the option ROM on any vulnerable Thunderbolt device that’s attached. Then that device can infect any computer it’s connected to, and so on.

Yes, it’s a worm, and that’s the most interesting part of the research. But especially with the new patch in place, and the generally limited use of Thunderbolt, it would be hard for even a malicious version of this attack to spread very far.

Why are firmware attacks so bad?

Firmware is embedded in the hardware of your computer and runs below the level of the operating system. Thus, firmware infections can be invisible to any normal security detection or removal tools, and even swapping out the hard drive won’t eliminate the infection (you’d have to replace the logic board). Firmware attacks are extremely serious, persistent attacks when they work, but Apple and other computer manufacturers are working hard to make these already-difficult attacks even harder.

How can a network dongle infect my computer?

There are a bunch of different ways of connecting peripherals to computers. Most, like Thunderbolt, connect the device directly to special hardware chips in the computer that further connect to the processor and memory. This direct access is how manufacturers are able to make fast external hard drives and other devices; they “skip” the operating system and allow the computer to access the external hardware directly, just as if it were built in.

To make this possible, there is a little bit of software on a chip in the device that talks to special software on the chips in your computer, and all software can have vulnerabilities. Firmware attacks find vulnerabilities that enable them to overwrite the firmware on the chips in your computer, where they hide their malicious code (or, in this case, demonstration code). That firmware can then compromise the firmware on new, clean devices that are connected later on.

Firmware needs to be changeable, because the software embedded in it is never perfect and needs to be updated. This flexibility creates opportunities for attackers. Happily, Intel is adding features within the chips to make this a lot harder for attackers, and operating system vendors like Apple are adding their own protections.

What about the new USB-C port on the 12-inch MacBook?

USB is a different technology from Thunderbolt. While it might have its own vulnerabilities, Thunderstrike 2 doesn’t work with USB. USB-C is not vulnerable to this particular attack.

Is there anything I need to do?

No, nearly everyone can ignore Thunderstrike 2 entirely. The research really is excellent, compelling work that the Wired piece unfortunately turned into a bit of a fright-fest. The Web attack vector, in particular, is blocked in OS X 10.10.4. The worm can’t automatically jump air gaps — those in sensitive environments can easily protect themselves by being careful where they source their Thunderbolt devices, and this entire family of firmware attacks is likely to become a lot more difficult as hardware improves, and as device manufacturers update their firmware code.

I have no doubt similar attacks will continue to be used, especially against high-value targets, but the economics make it highly unlikely this is something we will ever see used at scale against consumers.

As I wrote this, I was at the Black Hat security conference (teaching a cloud security class). If you’ve noticed an uptick of security stories the past couple of weeks, that’s because Black Hat is one of the big research events where new and interesting vulnerabilities and attacks are made public. Some media outlets get carried away and forget to include the necessary context in their articles to help readers decide if they are personally at risk. This is unfortunate, since it detracts from the importance of security research and, at times, even makes security researchers seem like the bad guys attacking our computers.

This research plays an extremely valuable role in helping keep us all safe. Finding problems before the bad guys do, and reporting those problems to the vendors (as these researchers did to Apple), helps keep us all safer going forward. But when the research is reported by the media without sufficient context, it creates unwarranted fear. This is one of those situations where high-quality research is being blown out of proportion for page views. I suppose it’s still better than watching political ads.