Macs can be permanently compromised via firmware worm

“Security researchers Xeno Kovah and Trammell Hudson have discovered several flaws in the firmware installed on Apple computers, and have created a worm that can silently infect them and change the firmware in question to achieve persistence in the system.

Dubbed Thunderstrike 2 because it’s an improved variant of the Thunderstrike attack demonstrated by Hudson in January, the worm can be easily delivered via a phishing email or a malicious website, and spread to other computers.

“That malware would then be on the lookout for any peripherals connected to the computer that contain option ROM, such as an Apple Thunderbolt Ethernet adapter, and infect the firmware on those. The worm would then spread to any other computer to which the adapter gets connected,” Kim Zetter explained.

This is a type of malware that can’t be easily detected, as AV software and other security solutions don’t have the ability to check a system’s firmware. Firmware updates also can’t solve the problem, as they can either be blocked by the malware or the malware can rewrite itself on the firmware again after the update.

Reinstalling the OS or replacing the computer’s hard drive won’t work either – the only solution is to re-flash the chip that contains the malware.

Unfortunately, this is not something that many users known how to do.

For most users thats really a throw-your-machine-away kind of situation,” Kovak pointed out. “Most people and organizations dont have the wherewithal to physically open up their machine and electrically reprogram the chip.

Kovah and Hudson are set to demonstrate the attack and the effectiveness of the malware at the Black Hat USA 2015 conference. Here is a short video of that:

Apple has been informed of the firmware vulnerabilities the researchers found, and has patched two of them. Three of them are still unpatched.




Share this