Proof-of-concept firmware worm targets Apple computers

Meanwhile, Kovah and Hudson are planning to present their research at a security conference in Las Vegas later this week.

A team of researchers has created the first firmware worm that’s able to infect Macs, reports Wired. If people don’t have awareness that attacks can be happening at this level then they’re going to have their guard down and an attack will be able to completely subvert their system.”Removing malware embedded into a Mac’s firmware would need to be done at the hardware level, making it particularly risky”. “Some vendors like Dell and Lenovo have been very active in trying to rapidly remove vulnerabilities from their firmware”, Kovah notes. Apple has patched some of the issues, but others remain and the two sides are still working on a resolution. Much like the sequel, Thunderstrike targeted Mac firmware and could not be detected. But Kovah said that’s not true; he told Wired, “It turns out nearly all of the attacks we found on PCs are also applicable to Macs”. Other attacks including the so-called Rootpipe backdoor, or dylib hijacking attacks such as those developed by researcher Patrick Wardle, are also a vehicle for exploit against these vulnerabilities, the researchers said.

Apple products have a reputation for being more secure than PCs. Attackers could remotely target computers, even air-gapped ones, with Thunderstrike 2 as it is designed to spread by infecting the option ROM on peripheral devices.

It is spread either by phishing email or by using a device that connects to your computer, like an Ethernet adapter.

When another machine is booted with this worm-infected device inserted, the machine firmware loads the option ROM from the infected device, triggering the worm to initiate a process that writes its malicious code to the boot flash firmware on the machine.

If you’re running a uranium centrifuge plant, you definitely don’t want any type of worm in your computer system, especially one that could spread without being detected and destroy without fear of destruction.

One way to randomly infect machines would be to sell infected Ethernet adapters on eBay or infect them in a factory.

Apple does not follow Intel’s recommended best practices for protecting their firmware.

A newer version of EFI, the researchers said, requires Option ROMs on peripherals be signed and verified before being allowed to run, cutting off that attack vector.

Apple was notified about the flaws, but naturally the vulnerabilities are not discussed within Apple’s description of Mac’s Thunderbolt interface and Thunderbolt peripherals. Apple chose not to implement protections against one flaw that would prevent an attacker from updating OS X code.

The researchers said a Thunderstrike 2 attack would be a secondary attack and carried out once an attacker is already on a machine via a Flash or Java exploit, for example.

All that said, the really scary thing isn’t imagining how your computer might fall victim to a vicious undetectable worm called Thunderstrike.