Posted on Tuesday, January 13 2015 @ 15:09 CET by Thomas De Maesschalck
The good news is someone needs physical access to your Mac to carry out the attack, but the bad news is that this type of malware is virtually undetectable and unremovable. Hudson points out that a reinstallation of OS X won't remove it and even replacing the SSD won't help because there is nothing stored on the drive.
Hudson claims every MacBook Pro/Air/Retina with a Thunderbolt port is vulnerable to the attack, but fortunately Apple is working on an update that will prevent malicious code from being written to the Boot ROM via the Thunderbolt port.
After initially discovering that the Boot ROM could be tampered with if the notebook was physically dismantled to give access to the chip soldered onto the motherboard, he then refined this technique so the attack could be carried out via the system's Thunderbolt port.Full details at ZD Net.
"It turns out that the Thunderbolt port gives us a way to get code running when the system boots," Wrote Hudson. "Thunderbolt brings the PCIe bus to the outside world and at boot time the EFI firmware asks attached devices if they have any Option ROMs to be run."
...
"The classic 'evil-maid' attacks also are feasible. Given a few minutes alone with your laptop, Thunderstrike allows the boot ROM firmware to be replaced, regardless of firmware passwords or disk encryption," explains Hudson. "So while you are getting breakfast at the hotel during a conference and leave the machine in your room and house-cleaning comes by to make up the bed, install the firmware backdoors, and replace the towels."
