It is possible to use a Thunderbolt Option ROM to circumvent the cryptographic signature checks in Apple’s EFI firmware update routines. Supply chain attack – every MacBook your company purchases could be compromised and you would never know it.This is the evil-maid attack described by Snare over two years ago, although this is not Thunderstrike: while an attacker can install a root kit to the drive, the Option ROM was loaded too late from the external device to be able to rewrite the ROM.” The attacker’s code can hook any EFI or OS functions and do things like bypass firmware passwords, log keystrokes, install kernel backdoors, etc. “The Option ROM attacks works like this: a Thunderbolt device that has been flashed with the exploit is plugged in and the system booted. This is not the “ Option ROM” attack, but Thunderbolt Option ROMs can help in flashing new firmware of the attacker’s choosing by circumventing flash security.This is not a DMA attack – it uses a PCIe Option ROM at boot time to launch the attack against the firmware update system.This does not provide security validation only verifies successful flashing of the ROM. There is no cryptographic check of the boot ROM (and no hardware TPM chip), only a software-based boot-time crc32.A hardware in-system-programming device is the only way to restore the stock firmware. ![]()
0 Comments
Leave a Reply. |