Thunderboltを利用しMacのEFIを書き換える「Thunderstrike Rootkit」手法の全容が公開される。


 セキュリティ研究者のTrammel HudsonがThunderbolt経由でMacのファームウェア(EFI)を書き換える”Thunderstrike Rootkit”の全容を公開しています。詳細は以下から。


 ドイツのハッカー集団 カオス・コンピュータ・クラブ(以下CCC)の会議でHudsonさんが公開したThunderstrikeの内容は「Thunderboltに接続したROMからMacのEFI脆弱性を利用して書き換えられたEFIはOS Xを再インストールしても消えること無く、Macのハードウェアの制御などが可能になる」というもので、

In this presentation we demonstrate the installation of persistent firmware modifications into the EFI boot ROM of Apple’s popular MacBooks. The bootkit can be easily installed by an evil-maid via the externally accessible Thunderbolt ports and can survive reinstallation of OSX as well as hard drive replacements. Once installed, it can prevent software attempts to remove it and could spread virally across air-gaps by infecting additional Thunderbolt devices.

[Thunderstrike – Trammell Hudson’s Projects]

 この脆弱性はAppleのEFI更新ルーチン内でThunderbolt Option ROMが暗号署名のチェックを回避している事から可能になっているそうです。


It is possible to use a Thunderbolt Option ROM to circumvent the cryptographic signature checks in Apple’s EFI firmware update routines. This allows an attacker with physical access to the machine to write untrusted code to the SPI flash ROM on the motherboard and creates a new class of firmware bootkits for the MacBook systems.

[Thunderstrike – Trammell Hudson’s Projects]



Once installed, the firmware cannot be removed since it replaces Apple’s public RSA key, which means that further firmware updates will be denied unless signed by the attacker’s private key. The hacked firmware can also replicate by copying itself to option ROMs in other Thunderbolt devices connected to the compromised Mac during a restart. Those devices remain functional, making it impossible to know that they have been modified.

[Security researcher rewrites Mac firmware over Thunderbolt, says most Intel Thunderbolt Macs vulnerable – 9to5Mac]

 幸いなことに脆弱性は既に新しいMac mini Late 2014とiMac with Retina 5K displayでは修正されており、他のMacについてもAppleが後日公開するであろうアップデートで修正されるはずだとHudsonさんはコメントしています。


Apple has already implemented an intended fix in the latest Mac mini and iMac with Retina display, which Hudson says will soon be available for other Macs, but appears at this stage to provide only partial protection…
[Security researcher rewrites Mac firmware over Thunderbolt, says most Intel Thunderbolt Macs vulnerable – 9to5Mac]







  1. Apple7743 より:


  2. Apple7743 より:


  3. Apple7743 より: