This is an annotated transcript of the Thunderstrike 2 demo video since it is a lot of information packed into the two minute demo. There is also a Thunderstrike 2 overview and extensive details.
Thunderstrike 2 starts with a local root priv exploit that can load a kernel module to give it access to raw memory.
On some systems it can immediately unlock and re-write the motherboard boot flash, on others it needs to hook the s3 resume script and wait for a sleep event. This builds upon the information we learned in the original Thunderstrike research, namely how to append PE files to the Firmware Volumes and how Apple verifies the integrity using CRC32.
It also can search for removable thunderbolt devices and write itself into their option ROMs.
This is an improvement over thunderstrike 1 which required physical access to attack a machine.
Like the original, Thunderstrike 2's proof of concept is not very stealthy, so when the system reboots, the logo is displayed and various hooks are inserted into the running EFI firmware.
when the infected adapter is connected to a fresh laptop during a system boot, the option rom is executed by efi firmware before the kernel is started.
The option rom can't directly write to the flash, so instead it hooks the s3 resume script using the Darth Venamis vunerability. This code will be executed when the system comes out of a sleep mode. Addtionally if you look closely behind the title bar in this image you can see the FileVault password that was keylogged.
Later the system goes to sleep and the CPU enters a low-power state and all of the flash lock bits are reset into their unlocked state. We can identify when the system has entered the s3 suspend to ram sleep, by waiting for the fans to shut down. When the system resumes there is a window of time to write Thunderstrike 2 into the motherboard boot flash.
Once installed in the boot flash, it is very difficult to remove since it controls the system from the very first instruction exceuted upon booting, including the keys for updating the firmware. Reinstalling OS X won't remove it, replacing the harddrive won't remove it. Even swapping to a new laptop has the possibility of re-infecting from thunderbolt devices that might have been shared.
Again, this poc isn't very stealthy, so when the system reboots we'll see the thunderstrike logo. A weaponized version could use virtualization or SMM to hide from attempts to detect it.
Thunderstrike 2 also watches for new Thunderbolt devices to be attached, and can write itself to a clean adapter when it detects the PCIe hot plug event. This hardware transmission vector allows it to potentially cross airgap security measures.
Thunderstrike 2's proof of concept demonstrates the entire cycle of a software exploit that can write to the motherboard boot flash, which can then infect Thunderbolt option ROMs, which can hook the S3 resume script or SMM and repeat the installation into motherboard boot flash chips on new machines.
Security 2015 Reverse engineering