Flaw in Thunderbolt ROM may allow overtaking of a Mac’s hardware

SecurityIconXA long-standing but recently revealed security hole in the EFI boot ROM in OS X system may allow attackers to take over Apple hardware that shipped with a Thunderbolt port.

In the upcoming Chaos Communications Congress in Germany, the attack, which was found by researcher Trammell Hudson, will allow a compromised Thunderbolt device to modify the ROM of a vulnerable Mac, which then could compromise the ROM of any additional Thunderbolt devices subsequently attached to the same Mac and have them likewise be able to infect additional hardware.

This approach to hacking a system is similar to recent demonstrations of exploiting Macs with keyboard-mimicking USB hardware that can be scripted using Perl, Shell, and AppleScript languages to quickly modify system settings in OS X, simply by plugging the device into the USB port for a few seconds.

Granted these approaches will require an attacker to have physical access to your Mac, so there is no vector for attack from the biggest vulnerability computer systems, which is through the internet and interaction with malicious Web sites and software downloads. However, these approaches do mean that if someone were to gain physical access, then it may be far easier for them to quickly do damage to a system.

These approaches are interesting findings, and will likely result in ROM and software updates to help prevent unauthorized access, but overall are not something that the average user should worry about. Simply be aware of who you give access to your Mac, and take all security precautions to lock down your data, and you should be good to go.

5 thoughts on “Flaw in Thunderbolt ROM may allow overtaking of a Mac’s hardware

    1. Topher Kessler Post author

      ROM is only intended to be “Read Only” under general use, but can be modified in special ways, the most common of which is to flash it. In general, the system reserves flashing as the only way to modify ROM; however, bugs such as this one may allow ROM contents to be overwritten, and result in problems.

  1. B. Jefferson Le Blanc

    Macworld reported this exploit only applies to Mac laptops. I don’t know why there a difference here and there, but in any case this is something Apple needs to patch PDQ before hackers figure out how to use it.

  2. Brian

    Excellent article in todays Arstechnica on this exploit.

    World’s first (known) bootkit for OS X can permanently backdoor Macs


Comments are closed.