Thunderstrike (Na Na Na Na)

It almost sounds like something out of a movie: the evil villain quietly drops into the conference room and replaces the DisplayPort to VGA adapter with an evil one. Ok, I’ll admit, it’s not the most exciting movie plot ever but that Displayport to VGA adapter will infect any MacBook that’s plugged into it on boot.

What’s more, the virus can’t be removed. It’s not on the HDD/SDD, so no amount of re-installing the OS will help you.

Sounds scary but that’s exactly what Thunderstrike does. Thankfully it’s only a proof of concept at the moment.

Thunderstike works to infect the boot ROM on vulnerable Apple systems. The process for doing this involves technology that hasn’t really changed since the 1980s and the very modern Thunderbolt system.

Thunderbolt is effectively PCIe and DisplayPort rolled into one and presented to the outside world. The PCIe element is how you can get the level of performance you do out of Thunderbolt – it’s effectively an internal bus on the outside.

This means you’ve got the same access to the hardware you would if you had installed a PCIe card. Not that this is really a new vulnerability as there were similar concerns about Firewire.

In the Thunderstrike proof of concept, a Thunderbolt gigabit ethernet adapter has been modified so that it offers an option ROM. This option ROM changes which key is accepted for boot ROM changes.

At that point, the machine is effectively taken over. A new boot ROM is loaded and others are locked out from making changes. This means its very difficult to disinfect a machine.

There is a catch to the process in that it requires a reboot to make the changes it needs. However, the original discoverer of the vulnerability has stated that it could potentially be remotely exploitable tricks like Dark Jedi Coma.

For now though, rogue Thunderbolt devices are the real threat. Who’d have thought that DisplayPort adapter or gigabit ethernet adepter on the conference room table would be such a threat? The same people that consider USB pendrives a threat I’d guess.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *