THE COMMON WISDOM when it comes to PCs and Apple computers is that the latter are much more secure. Particularly when it comes to firmware, people have assumed that Apple systems are locked down in ways that PCs aren’t.
It turns out this isn’t true. Two researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of MACs. What’s more, the researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked.
The attack raises the stakes considerably for system defenders since it would allow someone to remotely target machines—including air-gapped ones—in a way that wouldn’t be detected by security scanners and would give an attacker a persistent foothold on a system even through firmware and operating system updates. Firmware updates require the assistance of a machine’s existing firmware to install, so any malware in the firmware could block new updates from being installed or simply write itself to a new update as it’s installed.
The only way to eliminate malware embedded in a computer’s main firmware would be to re-flash the chip that contains the firmware.
“[The attack is] really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware,” says Xeno Kovah, one of the researchers who designed the worm. “For most users that’s really a throw-your-machine-away kind of situation. Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip.”
It’s the kind of attack intelligence agencies like the NSA covet. In fact, documents released by Edward Snowden, andresearch conducted by Kaspersky Lab, have shown that the NSA has already developed sophisticated techniques for hacking firmware.
The Mac firmware research was conducted by Kovah, owner of LegbaCore, a firmware security consultancy, and Trammell Hudson, a security engineer with Two Sigma Investments. They’ll be discussing their findings on August 6 at the Black Hat security conference in Las Vegas.
Firmware is a particularly valuable place to hide malware on a machine because it operates at a level below the level where antivirus and other security products operate and therefore does not generally get scanned by these products, leaving malware that infects the firmware unmolested. There’s also no easy way for users to manually examine the firmware themselves to determine if it’s been altered. And because firmware remains untouched if the operating system is wiped and re-installed, malware infecting the firmware can maintain a persistent hold on a system throughout attempts to disinfect the computer. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate malicious code, the malicious firmware code will remain intact.
5 Firmware Vulnerabilities in Macs
Last year, Kovah and his partner at Legbacore, Corey Kallenberg, uncovered a series of firmware vulnerabilitiesthat affected 80 percent of PCs they examined, including ones from Dell, Lenovo, Samsung and HP. Although hardware makers implement some protections to make it difficult for someone to modify their firmware, the vulnerabilities the researchers found allowed them to bypass these and reflash the BIOS to plant malicious code in it.
Kovah, along with Hudson, then decided to see if the same vulnerabilities applied to Apple firmware and found that untrusted code could indeed be written to the MacBook boot flash firmware. “It turns out almost all of the attacks we found on PCs are also applicable to Macs,”
They looked at six vulnerabilities and found that five of them affected Mac firmware. The vulnerabilities are applicable to so many PCs and Macs because hardware makers tend to all use some of the same firmware code.
“Most of these firmwares are built from the same reference implementations, so when someone finds a bug in one that affects Lenovo laptops, there’s a really good chance it’s going to affect the Dells and HPs,” says Kovah. “What we also found is that there is really a high likelihood that the vulnerability will also affect Macbooks. Because Apple is using a similar EFI firmware.”
In the case of at least one vulnerability, there were specific protections that Apple could have implemented to prevent someone from updating the Mac code but didn’t.
“People hear about attacks on PCs and they assume that Apple firmware is better,” Kovah says. “So we’re trying to make it clear that any time you hear about EFI firmware attacks, it’s pretty much all x86 [computers].”
They notified Apple of the vulnerabilities, and the company has already fully patched one and partially patched another. But three of the vulnerabilities remain unpatched.
Thunderstrike 2: Stealth Firmware Worm for Macs
Using these vulnerabilities, the researchers then designed a worm they dubbed Thunderstrike 2 that can spread between MacBooks undetected. It can remain hidden because it never touches the computer’s operating system or file system. “It only ever lives in firmware, and consequently no [scanners] are actually looking at that level,” says Kovah.
The attack infects the firmware in just seconds and can also be done remotely.
There have been examples of firmware worms in the past—but they spread between things like home office routers and also involved infecting the Linux operating system on the routers. Thunderstrike 2, however, is designed to spread by infecting what’s known as the option ROM on peripheral devices.
An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious web site. That malware would then be on the lookout for any peripherals connected to the computer that contain option ROM, such as an AppleThunderbolt Ethernet adapter, and infect the firmware on those. The worm would then spread to any other computer to which the adapter gets connected.
When another machine is booted with this worm-infected device inserted, the machine firmware loads the option ROM from the infected device, triggering the worm to initiate a process that writes its malicious code to the boot flash firmware on the machine. If a new device is subsequently plugged into the computer and contains option ROM, the worm will write itself to that device as well and use it to spread.
One way to randomly infect machines would be to sell infected Ethernet adapters on eBay or infect them in a factory.
“People are unaware that these small cheap devices can actually infect their firmware,” says Kovah. “You could get a worm started all around the world that’s spreading very low and slow. If people don’t have awareness that attacks can be happening at this level then they’re going to have their guard down and an attack will be able to completely subvert their system.”
In a demo video Kovah and Hudson showed WIRED, they used an Apple Thunderbolt to Gigabit Ethernet adapter, but an attacker could also infect the option ROM on an externalSSD or on a RAID controller.
No security products currently check the option ROM on Ethernet adapters and other devices, so attackers could move their worm between machines without fear of being caught. They plan to release some tools at their talk that will allow users to check the option ROM on their devices, but the tools aren’t able to check the boot flash firmware on machines.
The attack scenario they demonstrated is ideal for targeting air-gapped systems that can’t be infected through network connections.
“Let’s say you’re running a uranium refining centrifuge plant and you don’t have it connected to any networks, but people bring laptops into it and perhaps they share Ethernet adapters or external SSDs to bring data in and out,” Kovah notes. “Those SSDs have option ROMs that could potentially carry this sort of infection. Perhaps because it’s a secure environment they don’t use WiFi, so they have Ethernet adapters. Those adapters also have option ROMs that can carry this malicious firmware.”
He likens it to how Stuxnet spread to Iran’s uranium enrichment plant at Natanz via infected USB sticks. But in that case, the attack relied on zero-day attacks against the Windows operating system to spread. As a result, it left traces in the OS where defenders might be able to find them.
“Stuxnet sat around as a kernel driver on Windows file systems most of the time, so basically it existed in very readily available, forensically-inspectable places that everybody knows how to check. And that was its Achille’s heel,” Kovah says. But malware embedded in firmware would be a different story since firmware inspection is a vicious circle: the firmware itself controls the ability of the OS to see what’s in the firmware, thus a firmware-level worm or malware could hide by intercepting the operating system’s attempts to look for it. Kovah and colleagues showed how firmware malware could lie like this at a talk they gave in 2012. “[The malware] could trap those requests and just serve up clean copies [of code]… or hide in system management mode where the OS isn’t even allowed to look,” he says.
Hardware makers could guard against firmware attacks if they cryptographically signed their firmware and firmware updates and added authentication capabilities to hardware devices to verify these signatures. They could also add a write-protect switch to prevent unauthorized parties from flashing the firmware.
Although these measures would guard against low-level hackers subverting the firmware, well-resourced nation-state attackers could still steal a hardware maker’s master key to sign their malicious code and bypass these protections.
Therefore, an additional countermeasure would involve hardware vendors giving users the ability to easily read their machine’s firmware to determine if it has changed since installation. If vendors provided a checksum of the firmware and firmware updates they distribute, users could periodically check to see if what’s installed on their machine differs from the checksums. A checksum is a cryptographic representation of data that is created by running the data through an algorithm to produce a unique identifier composed of letters and numbers. Each checksum is supposed to be unique so that if anything changes in the dataset, it will produce a different checksum.
But hardware makers aren’t implementing these changes because it would require re-architecting systems, and in the absence of users demanding more security for their firmware, hardware makers aren’t likely to make the changes on their own.
“Some vendors like Dell and Lenovo have been very active in trying to rapidly remove vulnerabilities from their firmware,” Kovah notes. “Most other vendors, including Apple as we are showing here, have not. We use our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security.”