Help

OT Thunderstrike and Root Privileges

gskibum
Contributor III

Posted on ‎08-04-2015 01:45 PM

Does Thunderstrike 2 require root privileges to start the process off?

The first words from this video say it does. He says it starts as "a local root privilege exploit".
https://www.youtube.com/watch?v=Jsdqom01XzY

Other info I find makes no mention one way or the other, possibly in the name of hype and sensationalism? Omitting this key info stirs the skeptic in me.

If it does require root, would standard user accounts for issued Macs stave off the local root privilege part of the exploit?

0 Kudos
Reply
4 REPLIES 4

sean
Valued Contributor

Posted on ‎08-04-2015 03:02 PM

If I understand it correctly, if you have an infected external device, e.g. Thunderbolt Adaptor, then there is nothing you can do to prevent this, beyond never connecting an external device, as this can infect the macs boot flash from wake/boot. Even a firmware password wouldn't provide any protection.

It does appear that an initial infection would require root permissions, but as there are already known, simple root escalation flaws in the OS, this part wouldn't be hard to bypass.

0 Kudos
Reply

gskibum
Contributor III

Posted on ‎08-04-2015 04:34 PM

Yeah that's the impression I have too, but the info out there just isn't as detailed as I would expect so I have doubts. They way it's being reported just doesn't sit well with me.

Maybe I'm being conspiratorial and silly. :-)

0 Kudos
Reply

rcorbin
Contributor II

Posted on ‎08-04-2015 05:29 PM

There seems to be mixed information out there about it. There was a TidBITS article I saw today that
seemed to give different information, but is that accurate ?

What You Need to Know About the Thunderstrike 2 Worm

0 Kudos
Reply

gskibum
Contributor III

Posted on ‎08-05-2015 08:34 AM

@ rcorbin

That seems to be a very level-headed article. Hopefully as Rich Mogull says we do learn more about this during Red Hat.

If I'm understanding this correctly there are two independent methods of spreading these attacks. My thinking is that the software-to-hardware part of attack seems like it would be the difficult one to execute & spread, while the hardware-to-hardware one would be the most infectious and easy to pull off. I guess I don't see the point in them bothering with the software flavor, except for perhaps determined, targeted cases of espionage or sabotage.

0 Kudos
Reply