US-based security researcher Trammell Hudson presented an intriguing paper on Mac rootkits at the recent Chaos Computer Congress (CCC) in Germany.
He called his work Thunderstrike, because it makes use of the Mac’s Thunderbolt port to do its dirty work.
Hudson decided to see if he could dig a rootkit even more deeply into a Mac than at the kernel or the boot sector level, where it is at least theoretically visible on your hard disk.
He wondered, in fact, if it might be possible to bury a rootkit in the Boot ROM chip on the motherboard.
That’s the firmware that runs right at the very start, when the computer is first powered up, and on which depends the correctness and security of everything that follows.
The Mac bootstrap
Very greatly simplified, the Mac bootup process goes something like this:
- Load firmware from the Boot ROM (soldered onto the motherboard).
- Load firmware Option ROMs from any connected Thunderbolt devices.
- Load and run the Extensible Firmware Interface (EFI) code.
- Load and run OS X itself.
Generally speaking, any rootkit installed or activated at stage 3 or 4 above can be detected using regular and well-documented programming techniques.
Granted, the rootkit might be very hard to find, and harder yet to remove, but well-informed security researchers will be able to deal with it, even if a special bootup CD or USB image is needed.
→ That’s the approach taken by Sophos Bootable Anti-Virus (SBAV), which can be used on Windows computers to remove stubborn rootkits or lock-screen ransomware. It works by booting up into a special-purpose Linux distribution, without running any executable code from your hard disk at all. This bypasses any and all malicious or damaged components in your Windows installation.
Hudson’s research (excellently presented and well-worth reading in full) deals with two aspects of the Mac startup process:
- If you open up the Mac’s case and get physical access to the ROM chip, can you rewrite it without triggering an alarm?
- If you can indeed alter the ROM undetected, can you do so without without opening up the Mac’s case?
As you can imagine, a rootkit embedded in the Boot ROM itself would be extremely difficult to detect and disinfect.
Altering the Boot ROM
He did this by wiring an EEPROM reprogrammer of his own devising directly to the contacts of the chip.
He performed the following simple but telling experiments:
- Make an otherwise harmless one-byte change in the ROM. The Mac booted from the ROM; the cooling fans started for a moment, but then stopped when the computer shut itself down.
- Change the very first code instruction in the ROM into an infinite loop. The Mac booted; the cooling fans started, and kept on running.
Conclusion: there is some sort of Boot ROM checksum test that can shut down your Mac.
But the shutdown is performed by code inside the ROM itself; therefore it can be bypassed or removed.
Altering the ROM without opening the case
So, serious adversaries who are determined to target your Mac with a ROM-based surveillance rootkit can, in theory, do so.
They’ll need to separate you from your computer for long enough to open it up, disconnect the battery, attach wires to the Boot ROM, reflash it, and close everything up again so that you don’t notice.
But what about an attacker with less time – for example, a so-called “evil maid”?
That’s jargon for a hypothetically crooked hotel cleaner who is familiar with computers, and has a legitimate purpose for going in and out of your room when you aren’t there.
(For reasons presumably rooted in the male dominance of the IT industry, crooked cleaners are assumed to be female.)
You can easily boot a Mac off USB, of course, but by that time in the bootstrap process, the Boot ROM chip is already locked down into read-only mode.
And you can plug in a Thunderbolt device, such as an Ethernet (LAN) adapter, which contains a special sort of subsidiary boot ROM called an Option ROM, which gives you earlier “evil maid” access than a USB-based boot.
But Option ROMs also run after the Boot ROM has switched itself into read-only mode.
Subverting the Option ROM process
Hudson’s research revealed a loophole in the bootstrap process.
So that Apple can ship Boot ROM firmware updates, it is possible to reboot a Mac while leaving the Boot ROM in read-write mode.
But this sort of bootstrap is a special one during which all you are supposed to be able to do is write a new firmware image into the ROM and reboot.
The current ROM includes a public key to check the digital signature of the new ROM image first; so, in theory, an Apple ROM can rewrite itself with a digitally-signed Apple ROM, and that’s that.
But, as Hudson discovered, Thunderbolt Option ROMs run even in “Boot ROM firmware update” mode, despite the fact that they are totally unnecessary under those circumstances.
Worse still, the code in an Option ROM can modify the contents of the firmware update after its digital signature has been verified, but before it gets written to the Boot ROM.
Abusing a LAN adaptor
Hudson found a rather diabolical way around this problem: rewrite only a tiny part of the existing Boot ROM, namely the public key used by the ROM itself to validate its updates.
By doing this, not only does he open up the Boot ROM to be reflashed a second time with a firmware image signed by his own private key, but he’s now the only guy who can unflash the rootkit later on.
Even if you suspect (or detect) his shenanigans, you can’t easily flash your Mac back to “Apple Normal Form,” because Apple’s legitimate firmware ROMs are signed with Apple’s private key, not Tramell Hudson’s!
What to do?
Sadly, there’s no easy way to prevent your Mac from being Thunderstruck at the moment.
Fortunately, Hudson reports that Apple is working on an official change that will prevent Option ROMs from running during a firmware update.
That will prevent his trick of abusing an Option ROM to subvert the Boot ROM update process.
In the meantime, we recommend that you don’t leave your Mac – or, indeed, any computer you own – unattended when you travel, if you can possibly help it.
In fact, even after Apple ships this fix, we think you should carry your computer equipment with you whenever you can.
Especially when the only place to leave it is somewhere that you know will be visited by other people (e.g. unsupervised hotel cleaners) when you are not there.
By the way, if you are worried about your computer being opened up without you realising, try an anti-rootkit trick presented at the 2013 Chaos Computer Congress.
Paint over the case screws with glitter nail polish and take close-up photos.
Sounds bizarre, but, in theory, the glitter sets into a hardware-random pattern that cannot reliably be reproduced after the screws have been opened and the nail polish chipped.
An attacker can repaint the screws to look very similar to how they were before, but not identical.
The things you can learn from the CCC!