Last Friday I wrote an article on the Thunderstrike proof of concept attack against Macs. I won’t spend any more time analyzing it but I think it’s valuable as an example of risk assessment.

The short version is… it’s a creative attack that, if you have physical access to a Mac, could allow you to completely compromise it by merely connecting external hardware and triggering a reboot. The attack is against the firmware, and even removing the Mac’s hard drive leaves it infected.

The Thunderstrike proof-of-concept takes advantage of this trust to replace the contents of the Mac’s boot ROM with the attacker’s own code, effectively embedding it into the Mac’s hardware and making it impossible to remove using standard techniques. The attack works because Apple relies on software checks to confirm the firmware is valid, and Hudson developed techniques to circumvent those checks (and even replace the encryption key).

Apple is taking this seriously; it is already fixed on new hardware (Retina iMacs and new Mac Minis), and a further fix for older hardware is coming soon according to my sources (sooner than you probably think). But that is only a partial fix because an attacker can still downgrade the firmware and then execute the attack, although that doubles the time requirement.

In my article I made clear that very few people need to worry about this now:

While all Macs are technically vulnerable to the Thunderstrike attack, few TidBITS readers face any immediate risk. The attack is highly targeted – someone needs both physical access to your Mac and time to reboot it and reinstall the firmware. On top of that, it isn’t like everyone is walking around with maliciously modified Thunderbolt dongles.

So why write it up? Why talk about an attack that has to be designed for the specific hardware version you are using, requires physical control of your device, and can’t realistically spread on any wide basis?

Because I’m at risk, as are many readers here at Securosis.

For the TidBITS crowd I mostly wanted to assuage concerns and compensate for the usual spate of over-hyped stories. For Securosis? Some of you need to worry. I have direct reports of executives and security pros being compromised when their hardware leaves their control; typically when traveling internationally, usually to one of a few countries. (Make that mostly one country).

BTW, I don’t have any reports of these attacks on Macs, and I am very interested if you have a confirmed report, even if you can’t provide details.

Starting in about 2008 I started paying a lot more attention to physical control over my computers and mobile devices under certain circumstances (I am not counting hacker conferences – I have always kept hard control at those). The reports coming in from clients indicated that customs and hotel rooms were not safe places to lose physical control. I even stopped traveling to China with devices I was worried about, which did inhibit my ability to get work done while there.

Thunderstrike itself isn’t a big deal. It’s super interesting, but damn low on the risk list.


As a proof of concept it is incredibly educational, and some of you, especially readers of this site, need to pay attention to these kinds of attacks (for yourselves or your organizations). That’s why I like this story as a good example of understanding risk. For one publication, TidBITS, I wrote it up to debunk fear. For another, here, I am writing it up as a warning of real risk, if you fall into the right bucket. [Ed: The presentation is also remarkably readable – much easier to understand than I expected for something this complicated. –cp]