The Thunderstrike exploit that affected a number of Mac systems with Thunderbolt ports, and gave an attacker with physical access to the system the ability to overtake the system’s ROM with a maliciously crafted Thunderbolt device. This attack was outlined by security researcher Trammell Hudson, and has been fixed in OS X 10.10.2, so for those who are concerned about their systems being vulnerable, this update should address the problem.
For security purposes Apple and Trammell Hudson did not give any information about vulnerable systems, but now that a fix is available, a list is available. Therefore, if you are unsure whether or not your Mac is one of those affected, then the following list outlines the models:
-
MacBook Pro with Retina display
- MacBook Air (Mid 2013 and later)
- iMac (Late 2013 and later)
- Mac Pro (Late 2013)
While this problem was an ongoing one, the exploits in it were more proof of concept, and all required direct access to the system. Since the exploit also required crafting of a malicious Thunderbolt device, it is very unlikely that any average hacker would develop such a device. Nevertheless, it being possible means that if you have one of the above systems, then be sure to update your Mac as soon as possible.
In addition, be sure to use as many security features of your Mac as possible, many of which will help lock down your Mac from such attacks, and generally keep your system safer than what its default configuration offers.
Topher, does this exploit affect any version of OS X besides Yosemite? Most of the Macs listed came with Mavericks, and I am still using Mavericks on my 2014 27″ iMac. I hesitate to conclude that just because Apple hasn’t provided a Mavericks version of the fix that such a vulnerability doesn’t exist.
Well, my question has apparently been answered. Apple just released security updates for Mavericks and Mountain Lion. However, as is their custom, they don’t say what they fix. It’s probably safe to conclude that they include the Thunderstrike fix. There are also updates for Safari and Apple Remote Desktop. As usual these updates can be found on the App Store.
B. Jefferson Le Blanc: Apple has (a bit late as usual) posted the security document for the 10.10.2 update and the 2015-001 security update. It is available here:
http://support.apple.com/en-us/HT204244
The relevant section reads:
CPU Software
Available for: OS X Yosemite v10.10 and v10.10.1, for: MacBook Pro Retina, MacBook Air (Mid 2013 and later), iMac (Late 2013 and later), Mac Pro (Late 2013)
Impact: A malicious Thunderbolt device may be able to affect firmware flashing
Description: Thunderbolt devices could modify the host firmware if connected during an EFI update. This issue was addressed by not loading option ROMs during updates.
CVE-ID
CVE-2014-4498 : Trammell Hudson of Two Sigma Investments
Taking this document at its word: There was NO fix for this problem for earlier versions of OS X.
However, so little has been published about this problem that there is a question as to whether this exploit was ever possible using earlier versions of OS X. There is still, from what I can tell, still no definitive list of affected hardware. We’re left significantly in the dark regarding this exploit. All we have is the above statement from Apple as well as two previous fixes Apple earlier provided for specific Macs affected by the problem.
I personally wonder if we still have all the data yet. But if all the information is now out on the table, here is a summary list I put together of affected Mac configurations that are vulnerable to the Thunderstrike exploit specifically and only when they are running 10.10.0 or 10.10.1:
Mac Mini 2014 – Previously fixed by Apple via EFI patch
iMac Retina 5K – Previously fixed by Apple via EFI patch
MacBook Pro Retina – Patched in 10.10.2
MacBook Air (Mid 2013 and later) – Patched in 10.10.2
iMac (Late 2013 and later) – Patched in 10.10.2
Mac Pro (Late 2013) – Patched in 10.10.2
Every other configuration is ‘immune’. At least that’s a summary of what we know at this time (if I didn’t leave anything out).
While not putting too fine a point on the Thunderstrike problem, I notice that Software Update is listing a “Security Update 2015-001 _1.0_ for my iMac on which I’m still running Mavericks. Unfortunately, the link to the website is no different than what was posted above. However, there are actually many more fixes for 10.9 (and even 10.8) than for 10.10 alone. Many are “security” fixes, but the only one specifically mentioning Thunderstrike is, as you say, for Yosemtite.
From what I’ve read, the real problem with Thunderstrike would only occur when someone has direct access to your Mac or someone provides you with a ‘modified’ Thunderbolt device. I’m not sure even a ‘modified’ device would be a problem without another person physically in control of the Mac, also. Of course, all the above is strictly my opinion, I don’t even play a Geek on TV! 😎 LOL!!