"Thunderstrike" is the name for an attack that can target Mac hardware via the Thunderbolt port. Apple had previously updated the Retina 5K iMac and 2014 Mac mini to partially secure them against Thunderstrike. Now, the upcoming OS X Yosemite 10.10.2 will fix the problem for all recent Macs running Yosemite.
Rick Mogull previously explained how Thunderstrike works on TidBITS:
Macs, like all computers, have firmware that swings into action when you push the power button, booting up the computer, loading the operating system, initializing hardware, and performing other functions. Some technologies, such as FireWire and Thunderbolt, interact with this firmware at an extremely low level, below Mac OS X itself, for feature and performance reasons.
The Thunderstrike proof-of-concept takes advantage of this trust to replace the contents of the Mac's boot ROM with the attacker's own code, effectively embedding it into the Mac's hardware and making it impossible to remove using standard techniques. The attack works because Apple relies on software checks to confirm the firmware is valid, and Hudson developed techniques to circumvent those checks (and even replace the encryption key).
To secure against Thunderstrike, Apple had to change the code to not only prevent the Mac's boot ROM from being replaced, but also to prevent it from being rolled back to a state where the attack would be possible again. According to people with access to the latest beta of OS X 10.10.2 who are familiar with Thunderstrike and how it works, that's exactly the deep, layered process that's been completed.
OS X 10.10.2, which was last seeded to developers earlier this week and will be made available to everyone as soon as it goes into wide release. OS X 10.10.2 also fixes three recently disclosed Project Zero vulnerabilities.
In the meantime, no instances of Thunderstrike have been found in wild, and the attack requires either physical access to the targeted computer, or social engineering sufficient to trick the owner into "attacking" themselves.
So, as with other recent Apple-related security stories, be informed but don't be alarmed. It's known, it's not likely to affect anyone reading this, and the fix is on its way.
Reader comments
'Thunderstrike' attack also fixed in OS X 10.10.2
“Be informed but don’t be alarmed.” Words to live by. Security researchers and anti-virus vendors are always crying wolf and that the sky is falling. It inflates their egos and their sales. While the threats are real the reality is that attacks in the wild are rare. A lot of these flaws are simply too complicated to be effective in the real world. Take the hand wringing over TouchID and some nerds lifting fingerprints and using expensive high resolution printers to bypass it. Really? The thug who steals my iPhone is going to do this and not just fence the thing asap before I remotely wipe it?
The problem with everything being scary is that it ultimately makes nothing scary.
If you see a tiger, stress-state system will flood you and you'll react. If you're chained up next to a tiger, your system will ultimately fail.
Inform me about security issues but include context so I know not only how bad it is, but how much risk I'm legitimately in, and if I happen to be at higher risk, how I can protect myself.
That should be the job.
LOL, when this was announced, my google+ news feed was filled with repost of the same report by all the haters and alarmist out there. I really don't think most of those posters read the article; they just read the sensationalist head line and decided to run with. After reading the article I just shrugged and carried on because the only way someone can attack my Macs this way, is to have physical access to them, and one, and I mean no one, touches my Macs but me; well perhaps with the exception of an Apple genius if I have to take one of them in for repairs.
Sent from the iMore App
Are any of the older versions of OSX getting these security fixes? It seems sad to abandon a product less than two years old and if true, would show how Apple feels towards security.
Good point.
Sent from the iMore App
What older Mac has Thunderbolt but can't run Yosemite?
Sent from the iMore App
Who knows? Is Apple still supporting 10.9 with security patches or not?
I'm guessing your question leads me to believe that no, Apple is not supporting a product less than two years old and users are left on their own. That sort of lack of concern is one reason why Apple will never get it when it comes to security and customers appear to lose again. Why this is not brought up by the Apple sites is beyond me.
Thunderbolt was introduced in 2011. Yosemite is compatible with Macs going back to 2009 or earlier.
Apple provided security patches for both 10.9 Mavericks and 10.8 Mountain Lion as recently as last month.
Next time, instead of bad assumptions, do a quick web search and come off looking like a champ! :)
You seem to be going out of your way of answering direct questions regarding OSX security.
Has 10.9 been patched for the Thunderstrike vulnerability?
Has 10.9 been patched for any of the vulnerabilities found by Google?
Please take note these questions are not: has 10.10 been patched by Apple or can users upgrade to 10.10.
Your refusal to answer the question is disappointing. The question is:
Is Apple still releasing security updates for an OS version less than 16 months old, or with this fix are they abandoning the (thousands? millions?) users who cannot or have not upgraded to Yosemite?
Surely that is an incredibly important question for a journalist to discover?
He answered your question, it's just not the answer you wanted. The security update *is* Yosemite. Apple is not preventing you from installing it. There may be plenty of users who have not upgraded, but there are no users who are running Mavericks who *can not* upgrade.
How is Thunder Strike different than plugging a USB boot loader (or whatever it's called) into my PC to flash firmware to the mobo, or install windows overtop my HDD with zero passwords. I know I can set a BIOS/EFI password, but to my knowledge this won't stop a fresh install of windows while whipping everything on my HDD.
Sent from the iMore App
There are all sorts of juice jacking and other types of similar tracks using USB and FireWire. They're fixed or secured against when found.
Only human action is almost impossible to secure against :)
Sent from the iMore App
I am convinced that I am one of the first victims of Thunderstruck on my iMac with two Thunderbolt ports. There is a perpetual 'virtual Thunderbolt bridge' in my Network connections which appeared yesterday, after a visit to my home from a telecom specialist. My machine is being mirrored remotely and even if I turn off wireless the virtual connection remains. Network stats show that my data is uploading, and there's nothing I can do about it. Anyone who wants to verify one of the first cases of Thunderstrike, please contact me. I'm taking the machine to Apple on Monday but am interested in input.
What type of Mac did this occur on? When you try to boot are you able to until you come to a black screen with a login which you have no control of? 24 hours ago on my new iMac 5K i hook up a thunderbolt to HDMI which is attached to my 2013 Samsung smart tv, and my tv is hooked up to my 3rd Gen Apple Tv as well as my airport express via ethernet cable, i can't pull up Recovery mode nor do much of anything besides restart via holding down the power button?
Can someone tell me if this is A. an hardware issue or B. Malware Attack and if so what to do so it won't spread throughout my network, i detached all usb,SD card, Lighting charger, also i t/urned off my 4tb segate central NAS