Infecting a Macbook

foxidrive foxidrive

foxidrive

Retired Admin

Attackers can infect MacBook computers with highly persistent boot rootkits by connecting malicious devices to them over the Thunderbolt interface.

The attack, dubbed Thunderstrike, installs malicious code in a MacBook’s boot ROM (read-only memory), which is stored in a chip on the motherboard. It was devised by a security researcher named Trammell Hudson based on a two-year old vulnerability and will be demonstrated next week at the 31st Chaos Communication Congress in Hamburg.

“It is possible to use a Thunderbolt Option ROM to circumvent the cryptographic signature checks in Apple’s EFI firmware update routines,” Hudson said in the description of his upcoming presentation. “This allows an attacker with physical access to the machine to write untrusted code to the SPI flash ROM on the motherboard and creates a new class of firmware bootkits for the MacBook systems.”

Malicious code installed in the MacBook boot ROM will be executed before the OS is loaded, meaning it can patch the OS kernel and have complete control over the system. It also means that reinstalling Mac OS X will not remove the bootkit and neither will replacing the hard disk drive, because the malicious code is not stored on it.

The bootkit can even replace Apple’s cryptographic key stored in the ROM with one generated by the attacker, preventing any future legitimate firmware updates from Apple, the researcher said in a blog post.


I think it's time to get your pliers out and break the thunderbolt port :wink2:
 
misi misi

misi

Growing Little Guru
http://www.cnet.com/news/apple-upda...=nl.e703&s_cid=e703&ttag=e703&ftag=CAD090e536

Apple is updating its Macs to guard against hackers taking control -- the first time a Mac update has been sent out automatically without requiring your permission.
The automated security update protects Apple laptops and desktops from newly discovered security vulnerability CVE-2014-9295, which affects OS X and other Linux and Unix distributions.

Speaking to Reuters, Apple spokesperson Bill Evans described Monday's update as "seamless" and noted that Mac users don't even need to restart their computers.
Apple isn't the only company that could be vulnerable to the security bug, which was revealed Friday by the US Department of Homeland Security and the Carnegie Mellon University Software Engineering Institute. Researchers warn that vulnerabilities in a computer's network time protocol (NTP), which sync a computer's clocks, could allow hackers to take control of a computer remotely.
[iframe name="google_ads_iframe_/8264/au-cnet/security_1" width="641" height="321" id="google_ads_iframe_/8264/au-cnet/security_1" src="javascript:"[/iframe]
"Apple's proactive steps to automatically remediate this particular vulnerability shows the need to quickly patch remotely exploitable vulnerabilities," says security analyst Ken Westin of Tripwire. "However, the use of Apple's automatic deployment tool is not without risks, as even the simplest update can cause problems for some systems. In this case the update may have been so minor the risk of affecting other applications and processes was minimal."
Previously, Apple's security updates have required a computer user to accept the update. The company has actually had a method to automatically update computers for two years but is only now using it for the first time.
What if someone doesn't want automatic updates? Westin advises: "If you have a Mac system where an automatic update might introduce a problem -- or you are the paranoid type -- it can be disabled by going to the Apple Menu > System Preferences > App Store and unchecking Install system data files and security updates."
Click to expand...
 
You must log in or register to reply here.
Back
Top