1

And of course, any other possible attack that involves convincing the target to plug in a modified thunderbolt device into their MacBook I know that Thunderstrike works on MacBooks with firmware passwords as of early 2015, but I'm not sure if Apple has updated it since then Btw, is there a way to disable thunderbolt and just use the thunderbolt ports as minidisplayports? This is on a MacBook Pro retina 13 with broadwell

genealogyxie
  • 431
  • 3
  • 13

2 Answers2

3

No, a firmware password wouldn't prevent Thunderstrike.

The idea behind any kind of DMA attack is that a physical device can read (or possibly write) sensitive memory without the user noticing. This can also be used to bypass a lockscreen if the laptop is left unattended, though the usual attack scenario is that the user's Thunderbolt peripheral is replaced with a malicious version which performs the DMA attack and provides remote access or exfiltration, without them realising that it's happening.

As part of this scenario, the laptop would need to be attacked while switched on and in use. Otherwise there's nothing interesting in memory to steal.

As for disabling Thunderbolt, I took a quick look at some leaked circuit schematics for Apple MBPs (I can't link or embed them here for obvious reasons) and it looks like the mini-DP's data lines go directly(*) to the buses necessary to perform DMA. As such, it looks like they're directly integrated into hardware and, even if you did switch off the Thunderbolt functionality at the software level, an attached device can always talk to the memory directly.

Unless I'm missing something critical, unfortunately it looks like your only option is to physically disable the offending ports with epoxy, or switch to using a device which doesn't expose such sensitive functionality to peripheral IO.

(*) Technically they pass through some filtering and buffers, but these are irrelevant. I also only checked the schematic for one specific make and model of MBP, so others may have ways to cut off the Thunderbolt functionality via the SMC.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
0

As a follow-up to Polynomial's answer, it is perhaps worth mentioning that Mac firmware passwords are traditionally not hugely secure. They can be bypassed either by:

  • intercepting the signals between the logic board and its SOP-8 or SOIC-8 ROM chip (e.g. with a Matt Card); or

  • physically replacing that chip with one containing customised firmware (i.e. by desoldering/resoldering); or

  • overwriting the contents of that chip with customised firmware (e.g. via a SOP-8/SOIC-8 clip).

Devices are also available for brute-forcing firmware Mac passwords. Brute forcing could, additionally, perhaps be done by reading ("dumping") the firmware from the ROM for brute-forcing elsewhere later on.

As such, if the Mac is ever left unattended long enough that an attacker would have time to open it, dump/overwrite the firmware, and close it, then its firmware password should be considered to have possibly been compromised or replaced.

The iMac Pro (Late 2017 - present) and the Touchbar Macbook Pro (Mid 2018 - present) have a T2 processor instead of a traditional SOP-8 or SOIC-8 ROM chip, thwarting (at least for the time being, and perhaps forever) this class of attack.

sampablokuper
  • 1,961
  • 1
  • 19
  • 33