Skip to content

Thunderstrike 2

Thunderstrike 2 was presented at DefCon 23 / BlackHat 2015 and the annotated presentation is available with significantly more details, as well as a demo video of the proof-of-concept in action. Thunderstrike 2 is a continuation of my security research on Thunderstrike, in collaboration with Xeno Kovah and Corey Kallenberg of LegbaCore. I've also collected Thunderstrike 2 news coverage.

Vulnerability status

Thunderstrike 2 was partialy fixed as part of Mac EFI Security Update 2015-001 in June 2015 (VU#577140, CVE-2015-3692). Systems running OS X 10.10.4 and higher are no longer trivially vulnerable. "Partially patched" means that the Protected Range Registers (PRR) are locked before the S3 script is run, which prevents a Darth Venamis "Dark Jedi" attack on the boot flash, but it does not fix several other issues. We have disclosed the following remaining problems to Apple's product firmware security team:

  • Option ROMs are still loaded during normal boots. Snare's 2012 Option ROM attack still works and could be extended to other Option ROMs built into the system's WiFi or video card.
  • The S3 resume bootscript is still unprotected and executes code from RAM, allowing code injection into PEI from either a software attack or an Option ROM attack.
  • BIOS_CNTL.BLE and BIOS_CNTL.SMM_SWP are not locked, allowing the NVRAM to be corrupted (and leaving open possible attacks on the PRR).
  • TSEGMB is left unlocked, allowing DMA into SMRAM and code injection into SMM.
  • And there some other issues that we haven't fully tested.

Even with the patch applied, it is still possible for Thunderstrike 2 to write to Option ROMs and continue to spread to new machines, to persist in the S3 resume script until the next full reboot, to hide in System Management mode and evade detection from software scanning, and to "irrevocably" brick systems by corrupting NVRAM.

2015 Security Reverse engineering

Last update: November 8, 2020