Thunderstrike: EFI firmware bootkits for Apple Mac Books

Lecture / Panel
For NYU Community

Speaker: Trammell Hudson, Two Sigma Investments

In this presentation we demonstrate the installation of persistent
firmware modifications into the EFI boot ROM of Apple's popular
MacBooks. The bootkit can be easily installed by an evil-maid via the
externally accessible Thunderbolt ports and can survive reinstallation of
OSX as well as hard drive replacements. Once installed, it can prevent
software attempts to remove it and could spread virally across air-gaps
by infecting additional Thunderbolt devices.

Longer description:

It is possible to use a Thunderbolt Option ROM to circumvent
the cryptographic signature checks in Apple's EFI firmware update
routines. This allows an attacker with physical access to the machine to
write untrusted code to the SPI flash ROM on the motherboard and creates
a new class of firmware bootkits for the MacBook systems.

There are neither hardware nor software cryptographic checks at boot
time of firmware validity, so once the malicious code has been flashed
to the ROM, it controls the system from the very first instruction. It
could use SMM, virtualization and other techniques to hide from attempts
to detect it.

Our proof of concept bootkit also replaces Apple's public RSA key in the
ROM and prevents software attempts to replace it that are not signed by
the attacker's private key. Since the boot ROM is independent of the
operating system, reinstallation of OS X will not remove it. Nor does
it depend on anything stored on the disk, so replacing the harddrive
has no effect. A hardware in-system-programming device is the only way
to restore the stock firmware.

Additionally, other Thunderbolt devices' Option ROMs are writable from
code that runs during the early boot and the bootkit could write copies
of itself to new Thunderbolt devices. The devices remain functional,
which would allow a stealthy bootkit to spread across air-gap security
perimeters through shared Thunderbolt devices.

While the two year old Thunderbolt Option ROM vulnerability that this
attack uses can be closed with a few byte patch to the firmware, the
larger issue of Apple's EFI firmware security and secure booting without
trusted hardware is more difficult to fix.


Trammell Hudson works at Two Sigma Investments on security, networking and distributed computation projects.  Prior to coming to New York, he worked for many years at Sandia National Labs on message passing and operating systems for Top500 parallel supercomputers.  More info: