Thunderstrike 2: Sith Strike

Trammell Hudson, Xeno Kovah, Corey Kallenberg
August, 2015
Cite Slides (PDF) Conference Presentation Video Demo Video 1 - Thunderstrike 2 'firmworm' propagation video Demo Video 2 - Bricking MacMini without a need for an exploit

Abstract

In this work we teamed up with Trammell Hudson to improve upon his previous Thunderstrike proof of concept. Previously it required physical access to rewrite the flash chip. We suspected that Macs were vulnerable to the same remotely-exploitable vulnerabilities we had shown in the past. And indeed, they were vulnerable to 5/6 issues we had seen previously. This helps show that just because you don’t hear about a vulnerability affecting a particular vendor, doesn’t mean they’re not affected.

To show the consequences of these vulnerabilities, Thunderstrike 2 uses CERT VU#976132 (Darth Venamis) to break into the BIOS from an Apple Thunderbolt Ethernet adapter. Once resident in the BIOS, it infects all new ethernet adapters that it comes in contact with. As such it represents a novel type of “firmworm” that only ever lives in firmware. Because it does not touch the OS or filesystem it will not be detected by traditional security products or forensics professionals.

Type
Conference paper
Publication
In BlackHat USA 2015, Defcon 2015, and Hack in the Box GSEC (Singapore)
firmware security BIOS security BIOS attack firmware integrity verification firmware vulnerability assessment secure boot attack
Xeno Kovah
Xeno Kovah
Dark Mentor Level X

Hacking firmware like it’s no big deal.