back to article OS X remote malware strikes Thunderbolt, hops hard drive swaps

Researchers Trammel Hudson and Xeno Kovah have built a self-replicating Apple firmware malware that can infect peripherals to spread to new computers. The ThunderStrike 2 malware is the second iteration of the attack forged earlier this year and liberates the requirement for attackers to have physical access to machines. …

  1. P. Lee

    Doh!

    This is why boot ROMs should be tiny and actually ROM, not flash.

    Boot up... "Would you like to continue booting from hard-disk, USB, serial, or network?"

    1. Andrew Tyler 1

      Re: Doh!

      I'd be pretty happy with a simple switch that forcibly de-asserts the write enable line or whatever. Presumably there are even more clever ways to go about it, but firmware is written to so rarely that making the user take some action is not unreasonable. It could even be one of those tiny ones you operate with a paperclip. Probably there are more complications to it than I am imagining.

      1. Christian Berger

        Re: Doh!

        "Probably there are more complications to it than I am imagining."

        If there are, it's the fault of the software designer designing that "BIOS". A "BIOS" should be simple enough you should virtually never experience any software bugs, and therefore never have any need to update your firmware.

        Unfortunately UEFI is just a huge mess, providing the same use as OpenFirmware with _way_ more code.

        1. jake Silver badge

          Re: Doh!

          "If there are, it's the fault of the software designer designing that "BIOS""

          I think you mispleled "the fault of the project manager, ruled by marketing, defining the specification that the poor kids attempting to write code need to follow".

          Remember, kiddies: This is all in the name of "ease of use". Marketing has spoken.

          1. Charles 9 Silver badge

            Re: Doh!

            And remember, marketing is beholden to the clients, who demand ease of use before security. After all, who wants to go through three different dead bolts just to get into their house? And ease of use quickly eats into security, putting you at odds when both get demanded at once.

      2. Fatman

        Re: Doh!

        <quote>Presumably there are even more clever ways to go about it, but firmware is written to so rarely that making the user take some action is not unreasonable.</quote>

        Simple, just insert in the write enable line a single DIP jumper plug that must be in place to enable writes to the flash chip.

        <sarcasm> (Wait, that can't be done as profit margins are too small.) </sarcasm>

        I bet some of the yoof are wondering to themselves: "What the fuck is he talking about???"

        1. Charles 9 Silver badge

          Re: Doh!

          But that will either require users to open the machine (a general no-no for anyone not electronically-inclined) or take it to a Genius Bar that may or may not cost and may or may not be available. And if you try to wire it to the outside, social engineering will exploit it.

    2. Charles 9 Silver badge

      Re: Doh!

      "This is why boot ROMs should be tiny and actually ROM, not flash."

      And what happens when an actual ROM has an exploit in it? Good luck trying to fix it...

      1. P. Lee

        Re: Doh!

        >And what happens when an actual ROM has an exploit in it? Good luck trying to fix it...

        That's why you keep it small and using well-tested tech with very limited functionality. (You could put it on a SD card in a slot which can't be written to by the general OS.)

        If you need to update things, you write the software to an external device, move a slider switch (or hold a pin in a "reset" hole) to "config mode" and reboot. The rom then looks at the external device loads all local device drivers and updates the flash (now enabled by the slider switch).

        It wouldn't be fool-proof, but it would prevent firmware malware from being downloaded an installed on the sly.

        1. Charles 9 Silver badge

          Re: Doh!

          "It wouldn't be fool-proof, but it would prevent firmware malware from being downloaded an installed on the sly."

          But then you get caught between a rock and a hard place. If the firmware can't be rewritten, odds are an undetectable bug (that require perhaps a rare but distinct liminality condition) will come along that gets exploited. And if it CAN be updated, odds are social engineering and a famous Douglas Adams quote will undermine any safeguards you try to put on it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021