Researchers find Mac computers vulnerable to same remote firmware exploits as PCs

The malware was one of the risky forms because it granted the attacker total control of the Mac computer.

It comes from researchers Xeno Kovah and Corey Kallenberg of LegbaCore and Trammell Hudson of Two Sigma Investments.

A new Macbook Pro is seen on display at an Apple media event in San Francisco, California on March 9, 2015.

I assume Apple security engineers have already booked flights to Vegas.

“Oh don’t worry”, your uncle said when you were shopping for a new computer.

This vulnerability, also referred as “Darth Venamis”, is known since September 2014, however it has been partly patched on Apple Macs, thus it helps attackers to hook inside the firmware easily. Other attacks including the so-called Rootpipe backdoor, or dylib hijacking attacks such as those developed by researcher Patrick Wardle, are also a vehicle for exploit against these vulnerabilities, the researchers said. These scripts reconfigure pieces of the hardware that may have changed when put into a low-power state.

When another machine is booted with this worm-infected device inserted, the machine firmware loads the option ROM from the infected device, triggering the worm to initiate a process that writes its malicious code to the boot flash firmware on the machine. The firmware is never erased and isn’t located on the hard drive, ensuring that the computer will always have instructions on how to run even without an operating system.

Boot ROM firmware: What is this?

Thunderstrike 2 targets the option ROM on peripherals like Ethernet adapters and SSDs and spread by connecting an infected device to a Mac.

Last year it was found that the exploits affected PCs by companies like Dell, HP, and Lenovo and five out of six of them are potentially applicable to Macs as Apple too relies on the same reference implementations. “This includes the keys for updating the firmware”.

Firmware attacks are exceptionally complex to pull off, requiring expertise and financial resources to execute.

In the video below, Hudson shows how an attack can jump from OROMs, to the BIOS, and back to the OROMs, primed to infect another Mac. “Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip” to get remove the malware.

Apple had not responded to a request for comment at the time of publication. Building on “Thunderstrike” exploits uncovered earlier this year, the worm, dubbed “Thunderstrike 2”, infects Macs at the firmware level, making it almost impossible to remove. “People are unaware that these small cheap devices can actually infect their firmware”, says Kovah. Indeed, all of the components that make up Thunderstrike 2 are built on previously-disclosed vulnerabilities. Both these can protect a PC from the Thunderstrike 2.