Actions

Thunderstrike2 demo

From Trammell Hudson's Projects

Thunderstrike 2 presentation at DefCon/Blackhat 2015

This is an annotated transcript of the Thunderstrike 2 demo video since it is a lot of information packed into the two minute demo. There is also a Thunderstrike 2 overview and extensive details.

Thunderstrike 2 presentation at DefCon/Blackhat 2015

Thunderstrike 2 starts with a local root priv exploit that can load a kernel module to give it access to raw memory.

Thunderstrike 2 presentation at DefCon/Blackhat 2015

On some systems it can immediately unlock and re-write the motherboard boot flash, on others it needs to hook the s3 resume script and wait for a sleep event. This builds upon the information we learned in the original Thunderstrike research, namely how to append PE files to the Firmware Volumes and how Apple verifies the integrity using CRC32.

Thunderstrike 2 presentation at DefCon/Blackhat 2015

It also can search for removable thunderbolt devices and write itself into their option ROMs.

Thunderstrike 2 presentation at DefCon/Blackhat 2015

This is an improvement over thunderstrike 1 which required physical access to attack a machine.

Thunderstrike 2 presentation at DefCon/Blackhat 2015

Like the original, Thunderstrike 2's proof of concept is not very stealthy, so when the system reboots, the logo is displayed and various hooks are inserted into the running EFI firmware.

Thunderstrike 2 presentation at DefCon/Blackhat 2015

when the infected adapter is connected to a fresh laptop during a system boot, the option rom is executed by efi firmware before the kernel is started.

Thunderstrike 2 presentation at DefCon/Blackhat 2015

The option rom can't directly write to the flash, so instead it hooks the s3 resume script using the Darth Venamis vunerability. This code will be executed when the system comes out of a sleep mode. Addtionally if you look closely behind the title bar in this image you can see the FileVault password that was keylogged.

Thunderstrike 2 presentation at DefCon/Blackhat 2015

Later the system goes to sleep and the CPU enters a low-power state and all of the flash lock bits are reset into their unlocked state. We can identify when the system has entered the s3 suspend to ram sleep, by waiting for the fans to shut down. When the system resumes there is a window of time to write Thunderstrike 2 into the motherboard boot flash.

Thunderstrike 2 presentation at DefCon/Blackhat 2015

Once installed in the boot flash, it is very difficult to remove since it controls the system from the very first instruction exceuted upon booting, including the keys for updating the firmware. Reinstalling OS X won't remove it, replacing the harddrive won't remove it. Even swapping to a new laptop has the possibility of re-infecting from thunderbolt devices that might have been shared.

Again, this poc isn't very stealthy, so when the system reboots we'll see the thunderstrike logo. A weaponized version could use virtualization or SMM to hide from attempts to detect it.

Thunderstrike 2 presentation at DefCon/Blackhat 2015

Thunderstrike 2 also watches for new Thunderbolt devices to be attached, and can write itself to a clean adapter when it detects the PCIe hot plug event. This hardware transmission vector allows it to potentially cross airgap security measures.

Thunderstrike 2 "firmworm" slide

Thunderstrike 2's proof of concept demonstrates the entire cycle of a software exploit that can write to the motherboard boot flash, which can then infect Thunderbolt option ROMs, which can hook the S3 resume script or SMM and repeat the installation into motherboard boot flash chips on new machines.