Tuesday, January 20, 2015

Apple Laptops Vulnerable To Virus That 'Can’t Be Removed

Thunderstrike – Malicious Code in Boot ROM 

Security researcher has discovered a way to install malicious code on a small chip built in Apple laptop which would resist any attempt in removal of it and even replacing the entire hard disk will not be capable of deleting it.

 The attack named, `Thunderstrike’ installs the malicious code in the Boot ROM of the system through the Thunderbolt port. Thunderstrike is undetectable and would need an attacker to get access to a machine for a few moments and since it is new, no security software would be on the lookout for it. Trammel Hudson working for New York hedge fund Two Sigma Investments noted the discovery when his employer asked him to check into the security regarding Apple laptops.

He wrote a comment in an annotated version of a talk given at the 31C3 conference stating that they were considering deploying MacBook and was asked to use his reverse engineering experience to look into the reports of rootkits on the Mac. The first step he took was in dismantling one of the laptops in order to gain access to the boot ROM which is a small chip containing the code that enables the computer to operate when switched on, before the main operating system is loaded.

Bootkit – Difficult to Delete

The malicious code could be hidden in this ROM and unlike other normal virus residing on the hard disk, this particular one cannot be deleted which is known as bootkit. The code could be used to do anything, an attacker would desire, from covertly probing the user to leaking sensitive data that is available on the machine.

 Researchers, though earlier have observed that modifying the contents of the ROM in Apple laptops causes the computer being completely unusable and as security measures, one should look for any changes and shut down if they come across anything. Hudson was of the opinion that these security measures could always seem to be `doomed to fail’ or `futile’ since anyone getting access to the contents of the ROM could also get access to the code which checks the ROM for changes.

On the contrary, he states that there should be some unchangeable hardware chip which could perform these checks. It was also observed that the attack could be done without the need of physically taking the machine apart in order to get the chip, which can be done by using the Thunderbolt port and theoretically any device, a monitor, printer or hard disk could be utilised in stalling malicious code by plugging it in some simple steps.

Partial Fix - By Apple

Hudson informed that Apple is planning a `partial fix’, as a firmware update would stop the ROM from being overwritten with malicious code in certain situations, though not all, like when a machine is being rebooted with a malicious Thunderbolt device plugged in. He had approached the company regarding the flaw in 2013.

His suggestion to prevent the attack is to overwrite the ROM with their own code which would disable any remote attacks through the Thunderbolt port and then paint over the screws on the laptop with nail varnish to detect any unauthorised physical access to the ROM. This measure however is time consuming since it is out of reach to all but only to the most advanced security experts.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.